Bug 1127602

Summary: SELinux prevents nmbd from reading /tmp
Product: Red Hat Enterprise Linux 6 Reporter: Robin Hack <rhack>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: asn, dwalsh, mgrepl, mmalik, rmainz, tlavigne
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-252.el6 Doc Type: Bug Fix
Doc Text:
Cause: Starting, Restarting samba daemons. Consequence: Samba daemons cannot list /tmp dir. Fix: Add rule that samba daemons can lit /tmp dir. Result: Samba daemons can list /tmp dir.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 08:03:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Milos Malik 2014-08-07 10:33:48 UTC 
Just repeating Daniel Walsh' question: Do these tools have a reason for listing the /tmp directory?  Could they be looking for Kerberos credentials cache?
Comment 3 Robin Hack 2014-08-07 11:40:23 UTC 
I really don't know. It looks fixed in fedora 20 then from my POV: yes.
Comment 6 Lukas Vrabec 2014-08-19 11:50:54 UTC 
Maybe I'm missing something but I tried your tests and everything looks fine without any AVC. 

$ rpm -q selinux-policy
selinux-policy-3.7.19-250.el6.noarch

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Package       : samba
:: [   LOG    ] :: Installed:    : samba-3.6.23-11.el6.x86_64 
:: [   LOG    ] :: beakerlib RPM : beakerlib-1.9-3.el6 
:: [   LOG    ] :: bl-redhat RPM : beakerlib-redhat-1-12.el6eso 
:: [   LOG    ] :: Test started  : 2014-08-19 13:47:57 CEST
:: [   LOG    ] :: Test finished : 2014-08-19 13:49:17 CEST
:: [   LOG    ] :: Test name     : /CoreOS/samba/Sanity/domain-join
:: [   LOG    ] :: Distro:       : Red Hat Enterprise Linux Workstation release 6.6 Beta (Santiago)
:: [   LOG    ] :: Hostname      : localhost.localdomain
:: [   LOG    ] :: Architecture  : x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test description
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PURPOSE of /CoreOS/samba/Sanity/domain-join
Description: test basic functionality as a domain member
Author: Ales Zelinka <azelinka>

This test need a preconfigured windows PDC machine running 
and its credentials stored in a samba-bits way.

Contact azelinka (or maybe other samba testers/winland admins)
for details


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Creating tmp directory (Expected 0, got 0)
:: [   PASS   ] :: Command 'cp expect-script /tmp/tmp.NyifWytJa8/' (Expected 0, got 0)
:: [   PASS   ] :: Command 'pushd /tmp/tmp.NyifWytJa8' (Expected 0, got 0)
:: [   LOG    ] :: Package samba-winbind is present
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   samba-winbind-3.6.23-11.el6.x86_64
:: [   PASS   ] :: Command 'wget --quiet -O samba-bits.sh http://nest.test.redhat.com/mnt/qa/scratch/azelinka/samba-bits/samba-bits.sh' (Expected 0, got 0)
:: [   PASS   ] :: Command 'source samba-bits.sh' (Expected 0, got 0)
:: [   INFO   ] :: samba-bits included
:: [   INFO   ] :: downloading win-config-domain-join.sh
:: [   LOG    ] :: including config from win-config-domain-join.sh
:: [   PASS   ] :: Command 'sb_get_config ' (Expected 0, got 0)
:: [   PASS   ] :: PDC for ZELGROUP.ZEL (expected to be at 10.34.36.16) responds to ping (Expected 0, got 0)
:: [   LOG    ] :: smb.conf modified
:: [   LOG    ] :: krb5.conf modified
:: [   LOG    ] :: synchronizing time with ADS
:: [   LOG    ] :: nsswitch.conf modified
:: [   INFO   ] :: deleting samba caches
:: [   PASS   ] :: restoring selinux contexts on /etc/samba/** (Expected 0, got 0)
:: [   PASS   ] :: checking smb.conf sanity (Expected 0, got 0)
:: [   PASS   ] :: Checking for the presence of expect rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   expect-5.44.1.15-5.el6_4.x86_64
:: [   PASS   ] :: removing samba logs (Expected 0, got 0)
:: [   PASS   ] :: joined ZELGROUP.ZEL domain (method ads) (Assert: expected 0, got 0)
:: [   PASS   ] :: we talk about domain instead of realm in log (because realm can't be in lowercase) (Expected 0, got 0)
:: [   LOG    ] :: Duration: 15s
:: [   LOG    ] :: Assertions: 13 good, 0 bad
:: [   PASS   ] :: RESULT: Setup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing-DomainIntegration-
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: authconfig-uring pam (Expected 0, got 0)
:: [   PASS   ] :: net ads testjoin works (Expected 0, got 0)
:: [   PASS   ] :: trust secret is valid (Expected 0, got 0)
:: [   PASS   ] :: user administrator found in user listing (Expected 0, got 0)
:: [   PASS   ] :: user ZELGROUP+administrator present in system (Assert: expected 0, got 0)
:: [   PASS   ] :: smbclient to PDC works (Expected 0, got 0)
:: [   PASS   ] :: winbind to pam integration works (online) (Expected 0, got 0)
:: [   PASS   ] :: windows user can ssh in (Expected 0, got 0)
:: [   LOG    ] :: Duration: 18s
:: [   LOG    ] :: Assertions: 8 good, 0 bad
:: [   PASS   ] :: RESULT: Testing-DomainIntegration-

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing-OfflineMode
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: removing samba logs (Expected 0, got 0)
:: [   PASS   ] :: disabling all connections to PDC except for dns (Expected 0, got 0)
:: [   PASS   ] :: winbind to pam integration works (offline) (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: Testing-OfflineMode

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing-OfflineMode-BZ#626407
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: removing samba logs (Expected 0, got 0)
:: [   PASS   ] :: restarting winbind to verify BZ#626407 fix (Expected 0, got 0)
:: [   PASS   ] :: still works even after winbind restart (didn't wipe out caches) (Expected 0, got 0)
:: [   PASS   ] :: enabling connections to PDC (Expected 0, got 0)
:: [   LOG    ] :: Duration: 31s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: Testing-OfflineMode-BZ#626407

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: keytab-AES-BZ#748407
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: AES keys found in the keytab (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: keytab-AES-BZ#748407

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing-Join-Using-Kerberos-BZ#737808
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'REALM_UPPER=ZELGROUP.ZEL' (Expected 0, got 0)
:: [   PASS   ] :: Command 'kdestroy' (Expected 0, got 0)
:: [   PASS   ] :: Command 'chmod +x expect-script-kinit' (Expected 0, got 0)
:: [   PASS   ] :: Command './expect-script-kinit 2>&1 | tee expect-script-kinit.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'klist' (Expected 0, got 0)
:: [   PASS   ] :: Command 'net ads join -k' (Expected 0, got 0)
:: [   PASS   ] :: Command 'net ads testjoin -k' (Expected 0, got 0)
:: [   PASS   ] :: Command 'net ads leave -k' (Expected 0, got 0)
:: [   PASS   ] :: Command 'kdestroy' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: Testing-Join-Using-Kerberos-BZ#737808

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: removing administrator's homedir (Expected 0, got 0)
:: [   PASS   ] :: Command 'popd' (Expected 0, got 0)
:: [   PASS   ] :: Removing tmp directory (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: Cleanup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: /CoreOS/samba/Sanity/domain-join
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Phases: 7 good, 0 bad
:: [   PASS   ] :: RESULT: /CoreOS/samba/Sanity/domain-join
:: [ 13:49:17 ] :: JOURNAL XML: /var/tmp/beakerlib-qkklFHu/journal.xml
:: [ 13:49:17 ] :: JOURNAL TXT: /var/tmp/beakerlib-qkklFHu/journal.txt
Comment 7 Lukas Vrabec 2014-08-21 10:46:52 UTC 
Milos,
Could you re-test it please? 

Thank you
Comment 8 Milos Malik 2014-08-22 07:35:17 UTC 
Unfortunately, the AVCs appeared on several machines:
----
time->Thu Aug 21 15:13:18 2014
type=SYSCALL msg=audit(1408648398.763:25): arch=40000003 syscall=5 success=no exit=-13 a0=3ba201 a1=0 a2=1b6 a3=3c915c items=0 ppid=7917 pid=7918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1408648398.763:25): avc:  denied  { read } for  pid=7918 comm="nmbd" name="tmp" dev=dm-0 ino=655361 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:13:18 2014
type=SYSCALL msg=audit(1408648398.763:26): arch=40000003 syscall=5 success=no exit=-13 a0=3ba1fd a1=0 a2=1b6 a3=3c915c items=0 ppid=7917 pid=7918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1408648398.763:26): avc:  denied  { read } for  pid=7918 comm="nmbd" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:13:18 2014
type=SYSCALL msg=audit(1408648398.765:27): arch=40000003 syscall=5 success=no exit=-13 a0=3ba206 a1=0 a2=1b6 a3=3c915c items=0 ppid=7917 pid=7918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1408648398.765:27): avc:  denied  { read } for  pid=7918 comm="nmbd" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:18:42 2014
type=SYSCALL msg=audit(1408648722.023:82): arch=40000003 syscall=5 success=no exit=-13 a0=762201 a1=0 a2=1b6 a3=77115c items=0 ppid=15062 pid=15180 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1408648722.023:82): avc:  denied  { read } for  pid=15180 comm="ntlm_auth" name="tmp" dev=dm-0 ino=655361 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:18:42 2014
type=SYSCALL msg=audit(1408648722.023:83): arch=40000003 syscall=5 success=no exit=-13 a0=7621fd a1=0 a2=1b6 a3=77115c items=0 ppid=15062 pid=15180 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1408648722.023:83): avc:  denied  { read } for  pid=15180 comm="ntlm_auth" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:18:42 2014
type=SYSCALL msg=audit(1408648722.023:84): arch=40000003 syscall=5 success=no exit=-13 a0=762206 a1=0 a2=1b6 a3=77115c items=0 ppid=15062 pid=15180 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1408648722.023:84): avc:  denied  { read } for  pid=15180 comm="ntlm_auth" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:24:34 2014
type=SYSCALL msg=audit(1408649074.336:103): arch=40000003 syscall=5 success=no exit=-13 a0=8f41fd a1=0 a2=1b6 a3=90315c items=0 ppid=16102 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408649074.336:103): avc:  denied  { read } for  pid=1767 comm="smbcontrol" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:24:34 2014
type=SYSCALL msg=audit(1408649074.336:102): arch=40000003 syscall=5 success=no exit=-13 a0=8f4201 a1=0 a2=1b6 a3=90315c items=0 ppid=16102 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408649074.336:102): avc:  denied  { read } for  pid=1767 comm="smbcontrol" name="tmp" dev=dm-0 ino=655361 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:24:34 2014
type=SYSCALL msg=audit(1408649074.337:104): arch=40000003 syscall=5 success=no exit=-13 a0=8f4206 a1=0 a2=1b6 a3=90315c items=0 ppid=16102 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408649074.337:104): avc:  denied  { read } for  pid=1767 comm="smbcontrol" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----

# rpm -qa selinux-policy*
selinux-policy-targeted-3.7.19-251.el6.noarch
selinux-policy-3.7.19-251.el6.noarch
selinux-policy-mls-3.7.19-251.el6.noarch
#
Comment 9 Miroslav Grepl 2014-08-22 07:43:37 UTC 
commit 34481828d4c49bc35c1ced150e97c62b7f023f32
Author: Miroslav Grepl <mgrepl>
Date:   Fri Aug 22 09:40:23 2014 +0200

    Add samba_domain attribute and allow to list /tmp directory for these domains.
Comment 12 errata-xmlrpc 2014-10-14 08:03:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html