SELinux context for ypbind not set for brokers

[ryansb]

When using broker.yml, it does not set the SELinux boolean "allow_ypbind".

$ oo-accept-broker 
NOTICE: SELinux is Enforcing
NOTICE: SELinux is  Enforcing
NOTICE: SELinux boolean allow_ypbind is disabled -- run setsebool -P allow_ypbind=on

I tried correcting it by doing this:

$ git diff broker.yml 
diff --git a/broker.yml b/broker.yml
index 591b22a..4181fb7 100644
--- a/broker.yml
+++ b/broker.yml
@@ -376,6 +376,7 @@
        - httpd_read_user_content
        - httpd_enable_homedirs
        - httpd_execmem
+       - allow_ypbind
   tags:
     - console

But that errors out because (I suspect) at that point in the config yp (NIS) hasn't been installed. It produces this error.

failed: [hostname.local] => (item=allow_ypbind) => {"failed": true, "item": "allow_ypbind"}
msg: SELinux boolean allow_ypbind does not exist.

[maxamillion]

allow_ypbind doesn't exist on Fedora 18 according to 'getsebool -a | grep ypbind' ... I'm not sure why you're getting that error, I've not seen that one before.

[ryansb]

[root@broker ~]# setsebool -P allow_ypbind=on
[root@broker ~]# echo $?
0

What's odd is that I also get nothing from getsebool -a | grep ypbind but I get a good exit code when I setsebool.

When a variable doesn't exist, this is what happens.

[root@broker ~]# setsebool -P nopenopenope=on
libsemanage.dbase_llist_set: record not found in the database (No such file or directory).
libsemanage.dbase_llist_set: could not set record value (No such file or directory).
Could not change boolean nopenopenope
Could not change policy booleans

This leads me to believe that the allow_ypbind variable somehow doesn't show up in getsebool, but is still somehow valid.

[maxamillion]

Ah, it looks like allow_ypbind was either depricated by or replaced by nis_enabled

$ grep ypbind /etc/selinux/targeted/booleans.subs_dist
allow_ypbind nis_enabled
$ getsebool -a | grep nis_enabled
nis_enabled --> off

So if we set nis_enabled on the broker we should be good, but even still I'm curious if that's actually required or if that's just some depricated check in oo-accept-node. I'll look into that and follow up.

[ryansb]

Hm, that's interesting. I'm going to go ahead and do a fresh install of F18 and re-test with the different role name.

Do you know where in openshift that check might be getting run so I can track down what's tossing that error?

[maxamillion]

Sorry for the radio silence, was out of town and then afk due to a family emergency. I'll be afk again for a few days for some training but I wanted to update this to let you know I haven't forgotten and do still plan to look into this.

[maxamillion]

Actually I just realized this is completed from the perspective of the deployment, the other end needs a fix from the util in origin-server. Closing this but feel free to re-open if you feel there's more work to be done (but also please let me know what that is because I'll have clearly missed something) :)