6 thoughts on - Weird SELinux Denial

• If you run this avc though audit2why what does it say?

• It says what it is my original post; that’s the output from audit2allow –w (which is audit2why):

  Was caused by:
  The boolean allow_ypbind was set incorrectly. Description:
  Allow system to run with NIS

  Allow access by executing:
  # setsebool -P allow_ypbind 1

  –

• the audit2why should say that the AVC is allowed.

• Well, if I just run audit2why again, it always tells me the same thing. However, I have now discovered that if I unset allow_ypbind, and then reset it to 1, audit2why then says

  type=AVC msg=audit(1496768649.872:1338): avc: denied { name_connect } for pid$13 comm=”dbus-daemon” dest1 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

  Was caused by:
  Unknown – would be allowed by active policy
  Possible mismatch between this policy and the one under which the audit message was generated.

  Possible mismatch between current in-memory boolean settings vs. permanent ones.

  –

• Ok, that works then. The way I read your email indicated that setting the boolean did not allow the access. I take it you are not running with NIS/Yellow pages and yet you see dbus connecting to port 111?

• Well, previously, I didn’t have to set it, because it already was set, but the denial was still happening (apparently). NIS has been working, which makes it even more confusing.

  But, now that I unset it (set it to 0) and then set it back (to 1), now allow2why seems to understand that the boolean is set (whereas before it seemed to think that the boolean was not set), so I guess I’ll what the log and see what happens.

  Thanks!

  –