43239 – ypbind does not work with selinux when enfocing policy

Bug 43239 - ypbind does not work with selinux when enfocing policy

Summary: ypbind does not work with selinux when enfocing policy

Status:	RESOLVED LATER

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Chris PeBenito (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-02-28 16:50 UTC by Michael Ihde
Modified:	2004-03-06 12:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Proposed start to the ypbind.te (ypbind.te,1.56 KB, text/plain) 2004-02-28 16:51 UTC, Michael Ihde	Details
The ypbind file context (ypbind.fc,62 bytes, text/plain) 2004-02-28 16:52 UTC, Michael Ihde	Details
Updated version (ypbind.te,1.88 KB, text/plain) 2004-02-29 12:27 UTC, Michael Ihde	Details
Fixed a bug in the last ypbind.te (ypbind.te,2.26 KB, text/plain) 2004-03-01 07:35 UTC, Michael Ihde	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Ihde 2004-02-28 16:50:55 UTC

After emerging ypbind on selinux and enforcing the policy, the machine is not able to access the NIS information.

ypbind runs in the initrc_t context which is not appropriate

Reproducible: Always
Steps to Reproduce:
1. emerge ypbind
2. configure correctly (yp.conf)
3. echo "1" > /selinux/enforce
2. run_init /etc/init.d/ypbind start
3. ypcat passwd

Actual Results:  
# run_init /etc/init.d/ypbind start
Authenticating root.
Password:
 * Starting ypbind...
 * No NIS server found                                                         
       [ !! ]

# ypcat passwd
No such map passwd.byname. Reason: Can't bind to server which serves this domain



Expected Results:  
Should print out the contents of the NIS password file.  After applying the
changes to the policy the out.

# run_init /etc/init.d/ypbind start
Authenticating root.
Password:
 * Starting ypbind...

# ypcat passwd

"Password file prints out"

Portage 2.0.50-r1 (selinux-x86-1.4, gcc-3.3.2, glibc-2.3.2-r9, 2.4.24-selinux-r2)
=================================================================
System uname: 2.4.24-selinux-r2 i686 Pentium III (Coppermine)
Gentoo Base System version 1.4.3.13
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.7.7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer"
CHOST="i386-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="berkdb crypt ncurses pam perl python readline selinux ssl tcpd x86 zlib"

Comment 1 Michael Ihde 2004-02-28 16:51:40 UTC

Created attachment 26544 [details]
Proposed start to the ypbind.te

Comment 2 Michael Ihde 2004-02-28 16:52:13 UTC

Created attachment 26545 [details]
The ypbind file context

Comment 3 Michael Ihde 2004-02-29 12:27:59 UTC

Created attachment 26615 [details]
Updated version

This allows sshd to use yp also

Comment 4 Michael Ihde 2004-03-01 07:35:17 UTC

Created attachment 26657 [details]
Fixed a bug in the last ypbind.te

Comment 5 Chris PeBenito (RETIRED) gentoo-dev

2004-03-06 12:57:42 UTC

yp stuff has already been merged in to policy cvs from upstream.  We'll have to see how well it works later, after the next base-policy release.  It'll also require installing the yp policies.