NIS trouble after update of targeted policy

Daniel J Walsh dwalsh at redhat.com
Mon Jun 20 15:55:43 UTC 2005 

alex at milivojevic.org wrote:

>In continuation to my pervious mail to this list (subject was
>"selinux-policy-targeted and logrotate", but was really more about upgrading
>from 1.17.30-2.88 to 1.17.30-3.6).
>
>After I upgraded to selinux-policy-targeted-1.17.30-3.6 (Daniel's rhel4u2 RPM),
>several appliactions contolled by targeted policy started complaining about
>something that looks like lookups to NIS maps were denied.  The testing box in
>question is in permissive mode, so there might be much more of those for boxes
>running in enforcing mode.
>
>The logs are in attachment.
>
>----------------------------------------------------------------
>This message was sent using IMP, the Internet Messaging Program.
>  
>
>------------------------------------------------------------------------
>
>Jun 17 10:06:58 mybox kernel: audit(1119020818.412:0): avc:  denied  { search } for  pid=2542 comm=ntpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:var_yp_t tclass=dir
>Jun 17 10:06:58 mybox kernel: audit(1119020818.415:0): avc:  denied  { read } for  pid=2542 comm=ntpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:var_yp_t tclass=file
>Jun 17 10:06:58 mybox kernel: audit(1119020818.419:0): avc:  denied  { name_bind } for  pid=2542 comm=ntpd src=1022 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
>Jun 17 10:06:58 mybox kernel: audit(1119020818.422:0): avc:  denied  { name_bind } for  pid=2542 comm=ntpd src=1023 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
>Jun 17 10:06:59 mybox kernel: audit(1119020819.077:0): avc:  denied  { search } for  pid=2576 comm=postmaster name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
>Jun 17 10:07:07 mybox kernel: audit(1119020827.010:0): avc:  denied  { search } for  pid=2642 comm=httpd name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
>Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc:  denied  { search } for  pid=2827 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir
>Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc:  denied  { read } for  pid=2827 comm=httpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_yp_t tclass=file
>Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc:  denied  { name_bind } for  pid=2827 comm=httpd src=883 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
>Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc:  denied  { name_bind } for  pid=2827 comm=httpd src=884 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
>Jun 17 10:07:12 mybox kernel: audit(1119020832.907:0): avc:  denied  { connect } for  pid=2827 comm=httpd lport=884 scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket
>Jun 17 10:07:13 mybox kernel: audit(1119020833.376:0): avc:  denied  { name_bind } for  pid=2891 comm=httpd src=953 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:rndc_port_t tclass=tcp_socket
>Jun 17 10:09:05 mybox kernel: audit(1119020945.663:0): avc:  denied  { search } for  pid=2887 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir
>  
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-listDo 
>
Do you have allow_ypbind set?

setsebool -P allow_ypbind=1


--

More information about the fedora-selinux-list mailing list