On CentOS 5.2 # ypcat -k auto.home * asen20:/export/Server/homes/&
yp seems to be working for clients. BUT
Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661 to procedure ypproc_match (oasen,auto_home;-4)
dox and asen20 is same machine (asen20 is a service IPaddress) cd /var/yp; make does not yp]# make gmake[1]: Entering directory `/var/yp/oasen' Updating passwd.byname... failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid .....
[root@dox yp]# service ypbind restart Shutting down NIS services: [ OK ] Turning off allow_ypbind SELinux boolean Turning on allow_ypbind SELinux boolean Binding to the NIS domain: [ OK ] Listening for an NIS domain server..
var log messages Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was changed to 0 by root Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was changed to 1 by root Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
# sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf Summary: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:inaddr_any_node_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port <Unknown> Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364): avc: denied { node_bind } for pid=5378 comm="genhomedircon" scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e Summary: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:hi_reserved_port_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port 890 Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 4c554775-348e-41b7-aa4b-74216b06e26e Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365): avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890 scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 Summary: SELinux is preventing genhomedircon (semanage_t) "name_connect" to <Unknown> (portmap_port_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:portmap_port_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port 111 Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2 Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366): avc: denied { name_connect } for pid=5378 comm="genhomedircon" dest=111 scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Per Sjoholm wrote:
On CentOS 5.2 # ypcat -k auto.home
- asen20:/export/Server/homes/&
yp seems to be working for clients. BUT
Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661 to procedure ypproc_match (oasen,auto_home;-4)
dox and asen20 is same machine (asen20 is a service IPaddress) cd /var/yp; make does not yp]# make gmake[1]: Entering directory `/var/yp/oasen' Updating passwd.byname... failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid .....
[root@dox yp]# service ypbind restart Shutting down NIS services: [ OK ] Turning off allow_ypbind SELinux boolean Turning on allow_ypbind SELinux boolean Binding to the NIS domain: [ OK ] Listening for an NIS domain server..
var log messages Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was changed to 0 by root Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was changed to 1 by root Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
# sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf Summary: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:inaddr_any_node_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port <Unknown> Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364): avc: denied { node_bind } for pid=5378 comm="genhomedircon" scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e Summary: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:hi_reserved_port_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port 890 Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 4c554775-348e-41b7-aa4b-74216b06e26e Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365): avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890 scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 Summary: SELinux is preventing genhomedircon (semanage_t) "name_connect" to
<Unknown> (portmap_port_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:portmap_port_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port 111 Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2 Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366): avc: denied { name_connect } for pid=5378 comm="genhomedircon" dest=111 scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is a bug in the ypbind script that is causing this problem.
I believe there is a fix available in 5.3, But I am not sure.
If you edit the /etc/init.d/ypbind script there is a bug when turning on or off the service. I believe there is a random "1" character in there. Removing this character will cause the AVC to dissapear.
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Per Sjoholm wrote:
On CentOS 5.2 # ypcat -k auto.home
- asen20:/export/Server/homes/&
yp seems to be working for clients. BUT
Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661 to procedure ypproc_match (oasen,auto_home;-4)
dox and asen20 is same machine (asen20 is a service IPaddress) cd /var/yp; make does not yp]# make gmake[1]: Entering directory `/var/yp/oasen' Updating passwd.byname... failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid .....
[root@dox yp]# service ypbind restart Shutting down NIS services: [ OK ] Turning off allow_ypbind SELinux boolean Turning on allow_ypbind SELinux boolean Binding to the NIS domain: [ OK ] Listening for an NIS domain server..
var log messages Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was changed to 0 by root Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was changed to 1 by root Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
# sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf Summary: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:inaddr_any_node_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port <Unknown> Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364): avc: denied { node_bind } for pid=5378 comm="genhomedircon" scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e Summary: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:hi_reserved_port_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port 890 Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 4c554775-348e-41b7-aa4b-74216b06e26e Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365): avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890 scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 Summary: SELinux is preventing genhomedircon (semanage_t) "name_connect" to
<Unknown> (portmap_port_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:portmap_port_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port 111 Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2 Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366): avc: denied { name_connect } for pid=5378 comm="genhomedircon" dest=111 scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is a bug in the ypbind script that is causing this problem.
I believe there is a fix available in 5.3, But I am not sure.
If you edit the /etc/init.d/ypbind script there is a bug when turning on or off the service. I believe there is a random "1" character in there. Removing this character will cause the AVC to dissapear.
Line 40 if [ -e /etc/selinux/${SELINUXTYPE}/modules1/active/booleans.local ..... if [ -e /etc/selinux/${SELINUXTYPE}/modules/active/booleans.local ..... did not help Feb 24 20:52:01 dox setsebool: The allow_ypbind policy boolean was changed to 0 by root Feb 24 20:52:03 dox setsebool: The allow_ypbind policy boolean was changed to 1 by root Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete SELinux messages. run sealert -l 84e4cd91-8298-40e2-9171-785c940ac32f Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete SELinux messages. run sealert -l 7263a1a9-5e01-4d17-a0f4-206e32486ac2 Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete SELinux messages. run sealert -l 65a80a67-fd9a-488c-b426-a447b5aa0d39 Feb 24 20:52:04 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmkM+sACgkQrlYvE4MpobMx0QCeJT7vpNJwehH/RTz3hzyM3fP7 510AoI71enVc/62gfByCPKhi1E67I4e0 =Rg5H -----END PGP SIGNATURE-----
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Per Sjoholm wrote:
Daniel J Walsh wrote: Per Sjoholm wrote:
On CentOS 5.2 # ypcat -k auto.home
- asen20:/export/Server/homes/&
yp seems to be working for clients. BUT
Feb 24 14:32:54 dox ypserv[5353]: refused connect from 192.168.1.23:661 to procedure ypproc_match (oasen,auto_home;-4)
dox and asen20 is same machine (asen20 is a service IPaddress) cd /var/yp; make does not yp]# make gmake[1]: Entering directory `/var/yp/oasen' Updating passwd.byname... failed to send 'clear' to local ypserv: RPC: Timed outUpdating passwd.byuid .....
[root@dox yp]# service ypbind restart Shutting down NIS services: [ OK ] Turning off allow_ypbind SELinux boolean Turning on allow_ypbind SELinux boolean Binding to the NIS domain: [ OK ] Listening for an NIS domain server..
var log messages Feb 24 14:12:49 dox setsebool: The allow_ypbind policy boolean was changed to 0 by root Feb 24 14:12:51 dox setsebool: The allow_ypbind policy boolean was changed to 1 by root Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete SELinux messages. run sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete SELinux messages. run sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e Feb 24 14:12:51 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete SELinux messages. run sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 Feb 24 14:12:52 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
# sealert -l 70aadaea-686d-45b6-a10e-f4d5909b49bf Summary: SELinux is preventing genhomedircon (semanage_t) "node_bind" to
<Unknown> (inaddr_any_node_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:inaddr_any_node_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port <Unknown> Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 70aadaea-686d-45b6-a10e-f4d5909b49bf Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.486:50364): avc: denied { node_bind } for pid=5378 comm="genhomedircon" scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.486:50364): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1eb0 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 4c554775-348e-41b7-aa4b-74216b06e26e Summary: SELinux is preventing genhomedircon (semanage_t) "name_bind" to
<Unknown> (hi_reserved_port_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:hi_reserved_port_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port 890 Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 4c554775-348e-41b7-aa4b-74216b06e26e Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.488:50365): avc: denied { name_bind } for pid=5378 comm="genhomedircon" src=890 scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.488:50365): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffff31e1de0 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
# sealert -l 3ee7b441-b219-4684-8a42-1448513cd5b2 Summary: SELinux is preventing genhomedircon (semanage_t) "name_connect" to
<Unknown> (portmap_port_t).
Detailed Description: SELinux denied access requested by genhomedircon. It is not expected that this access is required by genhomedircon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information: Source Context root:system_r:semanage_t Target Context system_u:object_r:portmap_port_t Target Objects None [ tcp_socket ] Source genhomedircon Source Path /usr/bin/python Port 111 Host dox.oasen.dyndns.org Source RPM Packages python-2.4.3-21.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue Feb 24 14:08:17 2009 Last Seen Tue Feb 24 14:12:48 2009 Local ID 3ee7b441-b219-4684-8a42-1448513cd5b2 Line Numbers Raw Audit Messages host=dox.oasen.dyndns.org type=AVC msg=audit(1235481168.490:50366): avc: denied { name_connect } for pid=5378 comm="genhomedircon" dest=111 scontext=root:system_r:semanage_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235481168.490:50366): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffff31e2040 a2=10 a3=3 items=0 ppid=5376 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=8550 comm="genhomedircon" exe="/usr/bin/python" subj=root:system_r:semanage_t:s0 key=(null)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
There is a bug in the ypbind script that is causing this problem.
I believe there is a fix available in 5.3, But I am not sure.
If you edit the /etc/init.d/ypbind script there is a bug when turning on or off the service. I believe there is a random "1" character in there. Removing this character will cause the AVC to dissapear.
Line 40 if [ -e /etc/selinux/${SELINUXTYPE}/modules1/active/booleans.local ..... if [ -e /etc/selinux/${SELINUXTYPE}/modules/active/booleans.local ..... did not help Feb 24 20:52:01 dox setsebool: The allow_ypbind policy boolean was changed to 0 by root Feb 24 20:52:03 dox setsebool: The allow_ypbind policy boolean was changed to 1 by root Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete SELinux messages. run sealert -l 84e4cd91-8298-40e2-9171-785c940ac32f Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete SELinux messages. run sealert -l 7263a1a9-5e01-4d17-a0f4-206e32486ac2 Feb 24 20:52:04 dox setroubleshoot: SELinux is preventing genhomedircon (semanage_t) "name_connect" to <Unknown> (portmap_port_t). For complete SELinux messages. run sealert -l 65a80a67-fd9a-488c-b426-a447b5aa0d39 Feb 24 20:52:04 dox ypbind: bound to NIS server asen20.oasen.dyndns.org
- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What is happening is the boolean is being turned off when the machine is still in NIS Mode. IE The kernel is still causing all getpw* calls to bind to random ports.
If this machine is going to run with nis, you need to execute
setsebool -P allow_ypbind=1
Then with the fix, the script will not turn off the boolean.
This will prevent the random avc messages.
The script turning the boolean on, was just trying to help in the case the user did not set the boolean permanently.
allow_ypbind is a bad boolean to set if you are not using NIS, since it allows lots of confined applications to setup as services on any port they want.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Per Sjoholm