Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 455964 - cannot login using nis with selinux activated
Summary: cannot login using nis with selinux activated
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: ypbind
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Karel Klíč
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-19 13:01 UTC by Julian G
Modified: 2013-03-03 22:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-18 06:15:27 UTC


Attachments (Terms of Use)

Description Julian G 2008-07-19 13:01:09 UTC
Description of problem:
if using nis for central user management it shows me the available accounts
(also with getent passwd, getent shadow) but it's not possible to login. after
deactivating selinux everything works fine.

How reproducible:
always

Steps to Reproduce:
1. authconfig-tui
2. use nis
3. try to login

Comment 1 Vitezslav Crhonek 2008-10-16 08:36:43 UTC
If it's denied by SELinux, there must be AVC denial message (/var/log/audit/audit.log), please let me see it. Which version of SELinux policy do you use? Is your system properly labeled?

Also try
# getsebool allow_ypbind

and if not set, then
# setsebool -P allow_ypbind 1

Comment 2 Julian G 2008-11-14 14:36:34 UTC
# getsebool allow_ypbind
allow_ypbind --> on

Now I've set SELinux to permissive mode and watched with tail -f audit.log what happen, if i try to start another session and login with a nis account.

type=USER_AUTH msg=audit(1226673208.028:15): user pid=2740 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="testuser3" exe="/usr/bin/kdm" (hostname=?, addr=?, terminal=:1 res=success)'
type=USER_ACCT msg=audit(1226673208.044:16): user pid=2740 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="testuser3" exe="/usr/bin/kdm" (hostname=?, addr=?, terminal=:1 res=success)'
type=CRED_ACQ msg=audit(1226673208.233:17): user pid=2740 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="testuser3" exe="/usr/bin/kdm" (hostname=?, addr=?, terminal=:1 res=success)'
type=LOGIN msg=audit(1226673208.348:18): login pid=2740 uid=0 old auid=4294967295 new auid=1003 old ses=4294967295 new ses=2
type=USER_ROLE_CHANGE msg=audit(1226673208.412:19): user pid=2740 uid=0 auid=1003 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='pam: default-context=system_u:system_r:unconfined_t:s0 selected-context=system_u:system_r:unconfined_t:s0: exe="/usr/bin/kdm" (hostname=?, addr=?, terminal=? res=success)'
type=USER_START msg=audit(1226673208.472:20): user pid=2740 uid=0 auid=1003 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="testuser3" exe="/usr/bin/kdm" (hostname=?, addr=?, terminal=:1 res=success)'
type=ANOM_ABEND msg=audit(1226673210.069:21): auid=1003 uid=1003 gid=1003 ses=2 subj=system_u:system_r:unconfined_t:s0 pid=2838 comm="pulseaudio" sig=6

Comment 3 Julian G 2008-11-14 14:38:44 UTC
> Which version of SELinux policy do you use?

# yum info selinux-policy
Installed Packages
Name       : selinux-policy
Arch       : noarch
Version    : 3.0.8
Release    : 123.fc8
Size       : 7.6 M
Repo       : installed
Summary    : SELinux policy configuration
URL        : http://serefpolicy.sourceforge.net
License    : GPLv2+
Description: SELinux Reference Policy - modular. Based off of reference policy:
           : Checked out revision 2393.

Comment 4 Bug Zapper 2008-11-26 11:00:54 UTC
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 5 Julian G 2008-11-28 00:22:55 UTC
tested using an upgraded (from 9 to 10) computer in the network with kde. problem seems to still exist.

Comment 6 Julian G 2008-12-21 01:56:16 UTC
ping - any news?

Comment 7 Vitezslav Crhonek 2009-01-08 12:45:43 UTC
I'm not able to reproduce it on Fedora 10. AVC messages don't seem to be directly related with ypbind. Did you try NIS in console? Testing NIS domain with ypwhich and login?

Comment 8 Bug Zapper 2009-11-18 10:14:27 UTC
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 9 Bug Zapper 2009-12-18 06:15:27 UTC
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.