On Feb 3, 2011, at 2:20 PM, Don Krause wrote: > > On Feb 3, 2011, at 1:39 PM, Troy Dawson wrote: > >> Don Krause wrote: >>> Ok, this is definitely a bug. Well 2 actually. >>> But It doesn't appear in the publicly accessible bugzilla at RH. >>> Package ypbind actually depends on policycoreutils-python. >> >> This is a problem for both SL and RedHat. I just checked the dependencies. >> >>> A fresh install of SL6 Beta1, using "Software Development Workstation", and selecting NIS under "Use Network Login", fails >>> to install policycoreutils-python, which contains "sesetbool". "sesetbool" is called by /etc/init.d/ypbind to allow ypbind access. >>> Installing as "Basic Server" at least includes policycoreutils-python. >>> Unfortunately, bug number 2, is that "sesetbool allow_ypbind=1" doesn't work, since the default selinux policy doesn't have >>> "allow_ypbind" >> >> I'm trying to test this on a real RHEL6 system. >> Aside from ypbind still not working, how can we tell "sesetbool allow_ypbind=1" doesn't work? >> >> Troy >> > > On both test boxes I tried, one installed as "Software Development" and one installed as "Basic Server", > I just tried to start ypbind via "service ypbind start". It would actually start ypbind, but it wouldn't connect to > the ypmaster. > > In /var/log/audit/audit.log I'd get: > > type=USER_AVC msg=audit(1296764305.009:32965): user pid=2503 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface > =org.freedesktop.NetworkManager member=state dest=org.freedesktop.NetworkManager spid=3718 tpid=3449 scontext=unconfined_u:system_r:ypbind_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbu > s : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > > Then I'd run "sesetbool allow_ypbind=1" as it's found in /etc/init.d/ypbind, and attempt to restart ypbind. I got the same denial in audit.log > > I ran the denial through audit2allow, which gave me: > > module ypbind 1.0; > > require { > type unconfined_t; > type ypbind_t; > class dbus send_msg; > } > > #============= ypbind_t ============== > allow ypbind_t unconfined_t:dbus send_msg; > > Compile that to a module and install, then ypbind runs and connects as expected. > > As Stephan recommend, I did a "getsebool -a | grep yp" which returned "allow_ypbind --> on", (this is AFTER I did "sesetbool allow_ypbind=1") but ypbind still wouldn't bind to the master. > > On a completely fresh installation, "getsebool -a | grep yp" returns "allow_ypbind --> off". > > Thanks for looking! Now, because things aren't weird enough.. I've setup the PXE boot environment, copied the anaconda-ks from the test VM that was installed as "Software Development Workstation". You know, the same one where ypbind refused to work until I compiled a pp file and installed it? Except, now ypbind binds as expected. Even stranger, policycoreutils-python is NOT installed, so sesetbool as expected by /etc/init.d/ypbind doesn't exist, yet there's no selinux denial when installed this way. Now I'm just confused.... Is it possible that this is d-bus issue more than an selinux issue? -- Don Krause Head Systems Geek, Waver of Deceased Chickens. Optivus Proton Therapy, Inc. P.O. Box 608 Loma Linda, California 92354 909.799.8327 Tel 909.799.8366 Fax [log in to unmask] www.optivus.com "This message represents the official view of the voices in my head."