SCIENTIFIC-LINUX-USERS Archives

February 2011

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: SL6 Beta1 ypbind selinux policy.
From:
Don Krause <[log in to unmask]>
Reply To:
Don Krause <[log in to unmask]>
Date:
Wed, 2 Feb 2011 10:30:48 -0800
Content-Type:
multipart/signed
Parts/Attachments:
text/plain (2564 bytes) , smime.p7s (4 kB) 

On Feb 1, 2011, at 9:32 PM, Stephan Wiesand wrote:

> On Feb 2, 2011, at 00:34 , Don Krause wrote:
> 
>> Is selinux on a default install of SL6 Beta 1 supposed to prevent ypbind from working?
> 
> Probably:
> 
> # getsebool -a |grep yp
> allow_ypbind --> off
> 
> Does "setsebool -P allow_ypbind on" make it work?
> 
> - Stephan

I'll reinstall another vm and try it. I believe it may not however, as the startup script tries to allow it and fails for some reason.

From /etc/init.d/ypbind:

selinux_on() {
    [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || return
    #echo $"Turning on allow_ypbind SELinux boolean"
    setsebool allow_ypbind=1
}

And:

start() {
  ...
  echo -n $"Starting NIS service: "
    selinux_on


And this doesn't work. But I'm also seeing other errors in init scripts, particularly autofs that I'm currently troubleshooting.

Thanks!
 
> 
> 
>> I'm getting this error in the audit.log
>> 
>> type=USER_AVC msg=audit(1296601650.114:34350): user pid=2262 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.NetworkManager member=state dest=org.freedesktop.NetworkManager spid=4805 tpid=3995 scontext=unconfined_u:system_r:ypbind_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>> 
>> When run through audit2allow, umm... damn, not found.. Hmm... Yeah, policycoreutils is installed.. wtf?
>> 
>> <begin rant>
>> audit2allow was moved from policycoreutils to policycoreutils-python. Has it become a game at TUV to see how many separate packages can be built from one src.rpm?
>> <end rant>
>> 
>> Sorry, distracted for a moment..
>> 
>> Anyway, after installing pcu-python for audit2allow, I get:
>> 
>> module ypbind 1.0;
>> 
>> require {
>>       type unconfined_t;
>>       type ypbind_t;
>>       class dbus send_msg;
>> }
>> 
>> #============= ypbind_t ==============
>> allow ypbind_t unconfined_t:dbus send_msg;
>> 
>> 
>> which looks reasonable, but I'm not an selinux guru. 

--
Don Krause                                                                   
Head Systems Geek, 
Waver of Deceased Chickens.
Optivus Proton Therapy, Inc.
P.O. Box 608
Loma Linda, California 92354
909.799.8327 Tel
909.799.8366 Fax
[log in to unmask]
www.optivus.com
"This message represents the official view of the voices in my head."

ATOM RSS1 RSS2