service ypbind restart, denied access requested by genhomedircon
Per Sjoholm
Per.t.Sjoholm at flysta.net
Tue Feb 24 19:55:28 UTC 2009
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Per Sjoholm wrote:
>
>> On CentOS 5.2
>> # ypcat -k auto.home
>> * asen20:/export/Server/homes/&
>>
>> yp seems to be working for clients. BUT
>>
>> Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661
>> to procedure ypproc_match (oasen,auto_home;-4)
>>
>> dox and asen20 is same machine (asen20 is a service IPaddress)
>> cd /var/yp; make does not
>> yp]# make
>> gmake[1]: Entering directory `/var/yp/oasen'
>> Updating passwd.byname...
>> failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid
>> .....
>>
>> [root at dox yp]# service ypbind restart
>> Shutting down NIS services: [ OK ]
>> Turning off allow_ypbind SELinux boolean
>> Turning on allow_ypbind SELinux boolean
>> Binding to the NIS domain: [ OK ]
>> Listening for an NIS domain server..
>>
>> var log messages
>> Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was
>> changed to 0 by root
>> Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was
>> changed to 1 by root
>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
>> SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
>> SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
>> Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon
>> (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
>> SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
>> Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
>>
>> # sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf
>> Summary:
>> SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown>
>> (inaddr_any_node_t).
>>
>> Detailed Description:
>> SELinux denied access requested by genhomedircon. It is not expected
>> that this
>> access is required by genhomedircon and this access may signal an intrusion
>> attempt. It is also possible that the specific version or configuration
>> of the
>> application is causing it to require additional access.
>>
>> Allowing Access:
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>> disable
>> SELinux protection altogether. Disabling SELinux protection is not
>> recommended.
>> Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>> Source Context root:system_r:semanage_t
>> Target Context system_u:object_r:inaddr_any_node_t
>> Target Objects None [ tcp_socket ]
>> Source genhomedircon
>> Source Path /usr/bin/python
>> Port <Unknown>
>> Host dox.oasen.dyndns.org
>> Source RPM Packages python-2.4.3-21.el5
>> Target RPM Packages Policy RPM
>> selinux-policy-2.4.6-137.1.el5
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name catchall
>> Host Name dox.oasen.dyndns.org
>> Platform Linux dox.oasen.dyndns.org
>> 2.6.18-92.1.22.el5 #1
>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count 2
>> First Seen Tue Feb 24 14:08:17 2009
>> Last Seen Tue Feb 24 14:12:48 2009
>> Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf
>> Line Numbers
>> Raw Audit Messages
>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364):
>> avc: denied { node_bind } for pid=5378 comm="genhomedircon"
>> scontext=root:system_r:semanage_t:s0
>> tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
>>
>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364):
>> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10
>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>
>> # sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e
>> Summary:
>> SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown>
>> (hi_reserved_port_t).
>>
>> Detailed Description:
>> SELinux denied access requested by genhomedircon. It is not expected
>> that this
>> access is required by genhomedircon and this access may signal an intrusion
>> attempt. It is also possible that the specific version or configuration
>> of the
>> application is causing it to require additional access.
>>
>> Allowing Access:
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>> disable
>> SELinux protection altogether. Disabling SELinux protection is not
>> recommended.
>> Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>> Source Context root:system_r:semanage_t
>> Target Context system_u:object_r:hi_reserved_port_t
>> Target Objects None [ tcp_socket ]
>> Source genhomedircon
>> Source Path /usr/bin/python
>> Port 890
>> Host dox.oasen.dyndns.org
>> Source RPM Packages python-2.4.3-21.el5
>> Target RPM Packages Policy RPM
>> selinux-policy-2.4.6-137.1.el5
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name catchall
>> Host Name dox.oasen.dyndns.org
>> Platform Linux dox.oasen.dyndns.org
>> 2.6.18-92.1.22.el5 #1
>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count 2
>> First Seen Tue Feb 24 14:08:17 2009
>> Last Seen Tue Feb 24 14:12:48 2009
>> Local ID 4c554775-348e-41b7-aa4b-74216b06e26e
>> Line Numbers
>> Raw Audit Messages
>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365):
>> avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890
>> scontext=root:system_r:semanage_t:s0
>> tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
>>
>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365):
>> arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10
>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>
>> # sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2
>> Summary:
>> SELinux is preventing genhomedircon (semanage_t) "name_connect" to
>> <Unknown>
>> (portmap_port_t).
>>
>> Detailed Description:
>> SELinux denied access requested by genhomedircon. It is not expected
>> that this
>> access is required by genhomedircon and this access may signal an intrusion
>> attempt. It is also possible that the specific version or configuration
>> of the
>> application is causing it to require additional access.
>>
>> Allowing Access:
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>> disable
>> SELinux protection altogether. Disabling SELinux protection is not
>> recommended.
>> Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>> Source Context root:system_r:semanage_t
>> Target Context system_u:object_r:portmap_port_t
>> Target Objects None [ tcp_socket ]
>> Source genhomedircon
>> Source Path /usr/bin/python
>> Port 111
>> Host dox.oasen.dyndns.org
>> Source RPM Packages python-2.4.3-21.el5
>> Target RPM Packages Policy RPM
>> selinux-policy-2.4.6-137.1.el5
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name catchall
>> Host Name dox.oasen.dyndns.org
>> Platform Linux dox.oasen.dyndns.org
>> 2.6.18-92.1.22.el5 #1
>> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count 2
>> First Seen Tue Feb 24 14:08:17 2009
>> Last Seen Tue Feb 24 14:12:48 2009
>> Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2
>> Line Numbers
>> Raw Audit Messages
>> host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366):
>> avc: denied { name_connect } for pid=5378 comm="genhomedircon"
>> dest=111 scontext=root:system_r:semanage_t:s0
>> tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
>>
>> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366):
>> arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10
>> a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon"
>> exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
>>
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
> There is a bug in the ypbind script that is causing this problem.
>
> I believe there is a fix available in 5.3, But I am not sure.
>
> If you edit the /etc/init.d/ypbind script there is a bug when turning on
> or off the service. I believe there is a random "1" character in there.
> Removing this character will cause the AVC to dissapear.
>
Line 40
if [ -e /etc/selinux/${SELINUXTYPE}/modules1/active/booleans.local .....
if [ -e /etc/selinux/${SELINUXTYPE}/modules/active/booleans.local .....
did not help
Feb 24 20:52:01 dox setsebool: The allow_ypbind policy boolean was
changed to 0 by root
Feb 24 20:52:03 dox setsebool: The allow_ypbind policy boolean was
changed to 1 by root
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete
SELinux messages. run sealert -l 84e4cd91-8298-40e2-9171-785c940ac32f
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete
SELinux messages. run sealert -l 7263a1a9-5e01-4d17-a0f4-206e32486ac2
Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon
(semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete
SELinux messages. run sealert -l 65a80a67-fd9a-488c-b426-a447b5aa0d39
Feb 24 20:52:04 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkmkM+sACgkQrlYvE4MpobMx0QCeJT7vpNJwehH/RTz3hzyM3fP7
> 510AoI71enVc/62gfByCPKhi1E67I4e0
> =Rg5H
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the selinux
mailing list