I checked bugzilla but did not see anything about this list of avc alerts for fedora 16. Should they be reported or is something miss configured?
#============= accountsd_t ============== #!!!! This avc is allowed in the current policy
allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow accountsd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow accountsd_t var_yp_t:dir search;
#============= automount_t ============== #!!!! This avc is allowed in the current policy
allow automount_t var_yp_t:file read;
#============= policykit_t ============== #!!!! This avc is allowed in the current policy
allow policykit_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t kerberos_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t kprop_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow policykit_t var_yp_t:dir search;
#============= sshd_t ============== #!!!! This avc is allowed in the current policy
allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t var_yp_t:dir search;
#============= system_dbusd_t ============== #!!!! This avc is allowed in the current policy
allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow system_dbusd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
#============= xdm_dbusd_t ============== #!!!! This avc is allowed in the current policy
allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
I checked bugzilla but did not see anything about this list of avc alerts for fedora 16. Should they be reported or is something miss configured?
sesebool-P allow_ypbind on
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed, for example your first avc denial:
#============= accountsd_t ============== #!!!! This avc is allowed in the current policy
allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
allow accountsd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow accountsd_t var_yp_t:dir search;
#============= automount_t ============== #!!!! This avc is allowed in the current policy
allow automount_t var_yp_t:file read;
#============= policykit_t ============== #!!!! This avc is allowed in the current policy
allow policykit_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t kerberos_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t kprop_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow policykit_t var_yp_t:dir search;
#============= sshd_t ============== #!!!! This avc is allowed in the current policy
allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t var_yp_t:dir search;
#============= system_dbusd_t ============== #!!!! This avc is allowed in the current policy
allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow system_dbusd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
#============= xdm_dbusd_t ============== #!!!! This avc is allowed in the current policy
allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
"Dominick Grift wrote:"
--===============4683794954818469668== Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
--=-W/U2hq2saAQVGsubU72y Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
I checked bugzilla but did not see anything about this list of avc alerts for fedora 16. Should they be reported or is something miss configured? =20 =20
sesebool-P allow_ypbind on
The bool gets turned off in the reboot process. It solves almost all the avc issues but a few remained which were solved with this policy file: module mysystemd 1.0;
require { type systemd_logind_t; type var_yp_t; type node_t; type hi_reserved_port_t; class udp_socket { name_bind bind create setopt node_bind }; class file { read open }; }
#============= systemd_logind_t ============== allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; allow systemd_logind_t node_t:udp_socket node_bind; allow systemd_logind_t self:udp_socket { bind create setopt }; allow systemd_logind_t var_yp_t:file { read open };
We also need to do a systemctl restart autofs.service after boot up. We use NIS and auto mounted home directories.
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed, for example your first avc denial:
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
allow accountsd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow accountsd_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow automount_t var_yp_t:file read; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow policykit_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t kerberos_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t kprop_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow policykit_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow system_dbusd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow system_dbusd_t rndc_port_t:tcp_socket name_bind; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect; -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
--=-W/U2hq2saAQVGsubU72y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9 fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU qFJjNtZOZfKswyZUYHSk =+k0S -----END PGP SIGNATURE-----
--=-W/U2hq2saAQVGsubU72y--
--===============4683794954818469668== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux --===============4683794954818469668==--
On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
"Dominick Grift wrote:"
--===============4683794954818469668== Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
--=-W/U2hq2saAQVGsubU72y Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
I checked bugzilla but did not see anything about this list of avc alerts for fedora 16. Should they be reported or is something miss configured? =20 =20
sesebool-P allow_ypbind on
The bool gets turned off in the reboot process.
Thats strange, is systemd turning it back off?
It solves almost all the avc issues but a few remained which were solved with this policy file: module mysystemd 1.0;
require { type systemd_logind_t; type var_yp_t; type node_t; type hi_reserved_port_t; class udp_socket { name_bind bind create setopt node_bind }; class file { read open }; }
#============= systemd_logind_t ============== allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; allow systemd_logind_t node_t:udp_socket node_bind; allow systemd_logind_t self:udp_socket { bind create setopt }; allow systemd_logind_t var_yp_t:file { read open };
This is likely a bug, Could you file a bugzilla for the above?
We also need to do a systemctl restart autofs.service after boot up. We use NIS and auto mounted home directories.
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed, for example your first avc denial:
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
allow accountsd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow accountsd_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow automount_t var_yp_t:file read; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow policykit_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t kerberos_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t kprop_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow policykit_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow system_dbusd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow system_dbusd_t rndc_port_t:tcp_socket name_bind; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect; -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
--=-W/U2hq2saAQVGsubU72y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9 fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU qFJjNtZOZfKswyZUYHSk =+k0S -----END PGP SIGNATURE-----
--=-W/U2hq2saAQVGsubU72y--
--===============4683794954818469668== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux --===============4683794954818469668==--
On 09/25/2011 10:10 AM, Dominick Grift wrote:
On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
"Dominick Grift wrote:"
--===============4683794954818469668== Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
--=-W/U2hq2saAQVGsubU72y Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
I checked bugzilla but did not see anything about this list of avc alerts for fedora 16. Should they be reported or is something miss configured? =20 =20
sesebool-P allow_ypbind on
The bool gets turned off in the reboot process.
Thats strange, is systemd turning it back off?
It solves almost all the avc issues but a few remained which were solved with this policy file: module mysystemd 1.0;
require { type systemd_logind_t; type var_yp_t; type node_t; type hi_reserved_port_t; class udp_socket { name_bind bind create setopt node_bind }; class file { read open }; }
#============= systemd_logind_t ============== allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; allow systemd_logind_t node_t:udp_socket node_bind; allow systemd_logind_t self:udp_socket { bind create setopt }; allow systemd_logind_t var_yp_t:file { read open };
This is likely a bug, Could you file a bugzilla for the above?
Yes, please, open a new bug. Thank you.
Regards, Miroslav
We also need to do a systemctl restart autofs.service after boot up. We use NIS and auto mounted home directories.
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed, for example your first avc denial:
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
allow accountsd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow accountsd_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow automount_t var_yp_t:file read; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow policykit_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t kerberos_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t kprop_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow policykit_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow system_dbusd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow system_dbusd_t rndc_port_t:tcp_socket name_bind; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect; -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
--=-W/U2hq2saAQVGsubU72y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9 fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU qFJjNtZOZfKswyZUYHSk =+k0S -----END PGP SIGNATURE-----
--=-W/U2hq2saAQVGsubU72y--
--===============4683794954818469668== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux --===============4683794954818469668==--
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
On 09/25/2011 10:10 AM, Dominick Grift wrote:
On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
"Dominick Grift wrote:"
--===============4683794954818469668== Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
--=-W/U2hq2saAQVGsubU72y Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
I checked bugzilla but did not see anything about this list of avc alerts for fedora 16. Should they be reported or is something miss configured? =20 =20
sesebool-P allow_ypbind on
The bool gets turned off in the reboot process.
Thats strange, is systemd turning it back off?
It solves almost all the avc issues but a few remained which were solved with this policy file: module mysystemd 1.0;
require { type systemd_logind_t; type var_yp_t; type node_t; type hi_reserved_port_t; class udp_socket { name_bind bind create setopt node_bind }; class file { read open }; }
#============= systemd_logind_t ============== allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; allow systemd_logind_t node_t:udp_socket node_bind; allow systemd_logind_t self:udp_socket { bind create setopt }; allow systemd_logind_t var_yp_t:file { read open };
This is likely a bug, Could you file a bugzilla for the above?
Yes, please, open a new bug. Thank you.
proposed fix:
diff --git policy/modules/system/systemd.te policy/modules/system/systemd.te index e50a989..d5e32c2 100644 --- policy/modules/system/systemd.te +++ policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ')
optional_policy(` + nis_use_ypbind(systemd_logind_t) +') + +optional_policy(` # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
Regards, Miroslav
We also need to do a systemctl restart autofs.service after boot up. We use NIS and auto mounted home directories.
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed, for example your first avc denial:
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
allow accountsd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow accountsd_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow automount_t var_yp_t:file read; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow policykit_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t kerberos_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t kprop_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow policykit_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow policykit_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow sshd_t var_yp_t:dir search; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow system_dbusd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =20 allow system_dbusd_t rndc_port_t:tcp_socket name_bind; =20 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
#!!!! This avc is allowed in the current policy =20 allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =20 allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect; -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
--=-W/U2hq2saAQVGsubU72y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9 fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU qFJjNtZOZfKswyZUYHSk =+k0S -----END PGP SIGNATURE-----
--=-W/U2hq2saAQVGsubU72y--
--===============4683794954818469668== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux --===============4683794954818469668==--
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
"Dominick Grift wrote:"
--=-QXDzVu1MWO4munhPKxie Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
On 09/25/2011 10:10 AM, Dominick Grift wrote:
On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
"Dominick Grift wrote:"
--=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D
Content-Type: multipart/signed; micalg=3D"pgp-sha512"; protocol=3D"application/pgp-signature"; boundary=3D"=3D-W/U2hq2saAQV=
GsubU72y"
--=3D-W/U2hq2saAQVGsubU72y Content-Type: text/plain; charset=3D"UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
I checked bugzilla but did not see anything about this list of avc alerts for fedora 16. Should they be reported or is something miss configured? =3D20 =3D20
setsebool-P allow_ypbind on
Submitted bug report 741141 on selinux bool getting turned off.
The bool gets turned off in the reboot process.
Thats strange, is systemd turning it back off?
It solves almost all the avc issues but a few remained which were solved with this policy file: module mysystemd 1.0;
require { type systemd_logind_t; type var_yp_t; type node_t; type hi_reserved_port_t; class udp_socket { name_bind bind create setopt node_bind }; class file { read open }; }
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; allow systemd_logind_t node_t:udp_socket node_bind; allow systemd_logind_t self:udp_socket { bind create setopt }; allow systemd_logind_t var_yp_t:file { read open };
This is likely a bug, Could you file a bugzilla for the above?
Yes, please, open a new bug. Thank you.
Submitted bug report 741143 for the above avc issue.
proposed fix:
diff --git policy/modules/system/systemd.te policy/modules/system/systemd.te index e50a989..d5e32c2 100644 --- policy/modules/system/systemd.te +++ policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ') =20 optional_policy(`
- nis_use_ypbind(systemd_logind_t)
+')
+optional_policy(` # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
=20 Regards, Miroslav
We also need to do a systemctl restart autofs.service after boot up. W=
e
use NIS and auto mounted home directories.
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed=
,
for example your first avc denial:
#=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D a=
ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
#!!!! This avc is allowed in the current policy =3D20 allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
allow accountsd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =3D20 allow accountsd_t var_yp_t:dir search; =3D20 #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D a=
utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
#!!!! This avc is allowed in the current policy =3D20 allow automount_t var_yp_t:file read; =3D20 #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D p=
olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
#!!!! This avc is allowed in the current policy =3D20 allow policykit_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow policykit_t kerberos_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow policykit_t kprop_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow policykit_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =3D20 allow policykit_t var_yp_t:dir search; =3D20 #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D s=
shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
#!!!! This avc is allowed in the current policy =3D20 allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow sshd_t var_yp_t:dir search; =3D20 #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D s=
ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
#!!!! This avc is allowed in the current policy =3D20 allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow system_dbusd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy =3D20 allow system_dbusd_t rndc_port_t:tcp_socket name_bind; =3D20 #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D x=
dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
#!!!! This avc is allowed in the current policy =3D20 allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy =3D20 allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect; -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
--=3D-W/U2hq2saAQVGsubU72y Content-Type: application/pgp-signature; name=3D"signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9 fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU qFJjNtZOZfKswyZUYHSk =3D+k0S -----END PGP SIGNATURE-----
--=3D-W/U2hq2saAQVGsubU72y--
--=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D
Content-Type: text/plain; charset=3D"us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D--
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
=20
--=-QXDzVu1MWO4munhPKxie Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1 fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJnIDVXeQrY DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkOf4EXnHEQ/WFNsv ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXFqKpHXRS0cuhR1+ UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRGGs2gbC mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW T/EOLkcmEJLL552gPgma =yVbI -----END PGP SIGNATURE-----
--=-QXDzVu1MWO4munhPKxie--
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/25/2011 10:38 PM, David Highley wrote:
"Dominick Grift wrote:"
--=-QXDzVu1MWO4munhPKxie Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
On 09/25/2011 10:10 AM, Dominick Grift wrote:
On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
"Dominick Grift wrote:"
--=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D
Content-Type: multipart/signed; micalg=3D"pgp-sha512"; protocol=3D"application/pgp-signature"; boundary=3D"=3D-W/U2hq2saAQV=
GsubU72y"
--=3D-W/U2hq2saAQVGsubU72y Content-Type: text/plain; charset=3D"UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote: > I checked bugzilla but did not see anything about this > list of avc alerts for fedora 16. Should they be > reported or is something miss configured? =3D20 =3D20 setsebool-P allow_ypbind on
Submitted bug report 741141 on selinux bool getting turned off.
The bool gets turned off in the reboot process.
Thats strange, is systemd turning it back off?
It solves almost all the avc issues but a few remained which were solved with this policy file: module mysystemd 1.0;
require { type systemd_logind_t; type var_yp_t; type node_t; type hi_reserved_port_t; class udp_socket { name_bind bind create setopt node_bind }; class file { read open }; }
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; allow systemd_logind_t node_t:udp_socket node_bind; allow systemd_logind_t self:udp_socket { bind create setopt }; allow systemd_logind_t var_yp_t:file { read open };
This is likely a bug, Could you file a bugzilla for the above?
Yes, please, open a new bug. Thank you.
Submitted bug report 741143 for the above avc issue.
proposed fix:
diff --git policy/modules/system/systemd.te policy/modules/system/systemd.te index e50a989..d5e32c2 100644 --- policy/modules/system/systemd.te +++ policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ') =20 optional_policy(` + nis_use_ypbind(systemd_logind_t) +') + +optional_policy(` # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
=20 Regards, Miroslav
We also need to do a systemctl restart autofs.service after boot up. W=
e
use NIS and auto mounted home directories.
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed=
,
for example your first avc denial:
> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > a=
ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow accountsd_t hi_reserved_port_t:tcp_socket > name_bind; #!!!! This avc is allowed in the current > policy # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
> allow accountsd_t portmap_port_t:tcp_socket > name_connect; #!!!! This avc is allowed in the current > policy =3D20 allow accountsd_t var_yp_t:dir search; > =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > a=
utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow automount_t var_yp_t:file read; =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > p=
olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow policykit_t hi_reserved_port_t:tcp_socket > name_bind; #!!!! This avc is allowed in the current > policy =3D20 allow policykit_t > kerberos_port_t:tcp_socket name_bind; #!!!! This avc is > allowed in the current policy =3D20 allow policykit_t > kprop_port_t:tcp_socket name_bind; #!!!! This avc is > allowed in the current policy =3D20 allow policykit_t > portmap_port_t:tcp_socket name_connect; #!!!! This avc > is allowed in the current policy =3D20 allow > policykit_t var_yp_t:dir search; =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > s=
shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! > This avc is allowed in the current policy =3D20 allow > sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! > This avc is allowed in the current policy =3D20 allow > sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! > This avc is allowed in the current policy =3D20 allow > sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This > avc is allowed in the current policy =3D20 allow sshd_t > var_yp_t:dir search; =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > s=
ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow system_dbusd_t hi_reserved_port_t:tcp_socket > name_bind; #!!!! This avc is allowed in the current > policy =3D20 allow system_dbusd_t > portmap_port_t:tcp_socket name_connect; #!!!! This avc > is allowed in the current policy =3D20 allow > system_dbusd_t rndc_port_t:tcp_socket name_bind; =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > x=
dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow xdm_dbusd_t hi_reserved_port_t:tcp_socket > name_bind; #!!!! This avc is allowed in the current > policy =3D20 allow xdm_dbusd_t > portmap_port_t:tcp_socket name_connect; -- selinux > mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
- --=3D-W/U2hq2saAQVGsubU72y
Content-Type: application/pgp-signature; name=3D"signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP
pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw
NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
qFJjNtZOZfKswyZUYHSk
=3D+k0S -----END PGP SIGNATURE-----
--=3D-W/U2hq2saAQVGsubU72y--
--=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D
Content-Type: text/plain; charset=3D"us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D--
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
=20
--=-QXDzVu1MWO4munhPKxie Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1 fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJnIDVXeQrY DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkOf4EXnHEQ/WFNsv ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXFqKpHXRS0cuhR1+ UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRGGs2gbC mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW T/EOLkcmEJLL552gPgma =yVbI -----END PGP SIGNATURE-----
--=-QXDzVu1MWO4munhPKxie--
We should use auth_use_nsswitch(systemd_logind_t) I think.
Are you setting the allow_ypbind boolean permanently
setsebool -P allow_ypbind 1
"Daniel J Walsh wrote:"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/25/2011 10:38 PM, David Highley wrote:
"Dominick Grift wrote:"
--=-QXDzVu1MWO4munhPKxie Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
On 09/25/2011 10:10 AM, Dominick Grift wrote:
On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
"Dominick Grift wrote:" > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
>
=3D
> Content-Type: multipart/signed; micalg=3D"pgp-sha512"; > protocol=3D"application/pgp-signature"; > boundary=3D"=3D-W/U2hq2saAQV=
GsubU72y"
> > > --=3D-W/U2hq2saAQVGsubU72y Content-Type: text/plain; > charset=3D"UTF-8" Content-Transfer-Encoding: > quoted-printable > > On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote: >> I checked bugzilla but did not see anything about this >> list of avc alerts for fedora 16. Should they be >> reported or is something miss configured? =3D20 =3D20 > setsebool-P allow_ypbind on
Submitted bug report 741141 on selinux bool getting turned off.
The bool gets turned off in the reboot process.
Thats strange, is systemd turning it back off?
It solves almost all the avc issues but a few remained which were solved with this policy file: module mysystemd 1.0;
require { type systemd_logind_t; type var_yp_t; type node_t; type hi_reserved_port_t; class udp_socket { name_bind bind create setopt node_bind }; class file { read open }; }
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; allow systemd_logind_t node_t:udp_socket node_bind; allow systemd_logind_t self:udp_socket { bind create setopt }; allow systemd_logind_t var_yp_t:file { read open };
This is likely a bug, Could you file a bugzilla for the above?
Yes, please, open a new bug. Thank you.
Submitted bug report 741143 for the above avc issue.
proposed fix:
diff --git policy/modules/system/systemd.te policy/modules/system/systemd.te index e50a989..d5e32c2 100644 --- policy/modules/system/systemd.te +++ policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ') =20 optional_policy(` + nis_use_ypbind(systemd_logind_t) +') + +optional_policy(` # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
=20 Regards, Miroslav
We also need to do a systemctl restart autofs.service after boot up. W=
e
use NIS and auto mounted home directories.
> should fix it. if it does than this should not be > reported > > There is a way to check whether a specified AVC denial > can be allowed=
,
> for example your first avc denial: > >> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> a=
ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> #!!!! This avc is allowed in the current policy =3D20 >> allow accountsd_t hi_reserved_port_t:tcp_socket >> name_bind; #!!!! This avc is allowed in the current >> policy > # sesearch -SCT --allow -s accountsd_t -t > hi_reserved_port_t -c tcp_socket -p name_bind > > Found 1 semantic av rules: DT allow nsswitch_domain > rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ] > > This tells me that this access can be allowed by toggling > the allow_ypbind boolean to enabled. The DT tells me that > this boolean is currently disabled. > >> allow accountsd_t portmap_port_t:tcp_socket >> name_connect; #!!!! This avc is allowed in the current >> policy =3D20 allow accountsd_t var_yp_t:dir search; >> =3D20 >> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> a=
utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> #!!!! This avc is allowed in the current policy =3D20 >> allow automount_t var_yp_t:file read; =3D20 >> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> p=
olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> #!!!! This avc is allowed in the current policy =3D20 >> allow policykit_t hi_reserved_port_t:tcp_socket >> name_bind; #!!!! This avc is allowed in the current >> policy =3D20 allow policykit_t >> kerberos_port_t:tcp_socket name_bind; #!!!! This avc is >> allowed in the current policy =3D20 allow policykit_t >> kprop_port_t:tcp_socket name_bind; #!!!! This avc is >> allowed in the current policy =3D20 allow policykit_t >> portmap_port_t:tcp_socket name_connect; #!!!! This avc >> is allowed in the current policy =3D20 allow >> policykit_t var_yp_t:dir search; =3D20 >> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> s=
shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> #!!!! This avc is allowed in the current policy =3D20 >> allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! >> This avc is allowed in the current policy =3D20 allow >> sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! >> This avc is allowed in the current policy =3D20 allow >> sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! >> This avc is allowed in the current policy =3D20 allow >> sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This >> avc is allowed in the current policy =3D20 allow sshd_t >> var_yp_t:dir search; =3D20 >> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> s=
ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> #!!!! This avc is allowed in the current policy =3D20 >> allow system_dbusd_t hi_reserved_port_t:tcp_socket >> name_bind; #!!!! This avc is allowed in the current >> policy =3D20 allow system_dbusd_t >> portmap_port_t:tcp_socket name_connect; #!!!! This avc >> is allowed in the current policy =3D20 allow >> system_dbusd_t rndc_port_t:tcp_socket name_bind; =3D20 >> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> x=
dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D >> #!!!! This avc is allowed in the current policy =3D20 >> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket >> name_bind; #!!!! This avc is allowed in the current >> policy =3D20 allow xdm_dbusd_t >> portmap_port_t:tcp_socket name_connect; -- selinux >> mailing list selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > >>
- --=3D-W/U2hq2saAQVGsubU72y
> Content-Type: application/pgp-signature; > name=3D"signature.asc" Content-Description: This is a > digitally signed message part Content-Transfer-Encoding: > 7bit > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 > (GNU/Linux) > > iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP > >
pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP > >
Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw > >
NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL > >
gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9 > >
fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU > >
qFJjNtZOZfKswyZUYHSk
> =3D+k0S -----END PGP SIGNATURE----- > > --=3D-W/U2hq2saAQVGsubU72y-- > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
>
=3D
> Content-Type: text/plain; charset=3D"us-ascii" > MIME-Version: 1.0 Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
>
=3D--
>
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
=20
--=-QXDzVu1MWO4munhPKxie Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1 fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJnIDVXeQrY DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkOf4EXnHEQ/WFNsv ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXFqKpHXRS0cuhR1+ UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRGGs2gbC mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW T/EOLkcmEJLL552gPgma =yVbI -----END PGP SIGNATURE-----
--=-QXDzVu1MWO4munhPKxie--
We should use auth_use_nsswitch(systemd_logind_t) I think.
Are you setting the allow_ypbind boolean permanently
setsebool -P allow_ypbind 1
Yes, it is set but there seems to be an issue with ypbind.service turning it off during a reboot. See bug 741141 which I also submitted.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6AfcwACgkQrlYvE4MpobOT1ACfVmiCMrnt1hxtUQCNDgB6CkfH FyMAn1/Ui1rbdA5aGjYfbpA3S/xuOnmJ =AOGA -----END PGP SIGNATURE-----
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
David Highley -
Dominick Grift -
Miroslav Grepl