Bug 1240198
Summary: | [SELinux]: Issues in setting up Windows Active directory with samba and access of share denied using domain users (RHEL-6.7) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | surabhi <sbhaloth> | ||||
Component: | samba | Assignee: | rhs-smb <rhs-smb> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | surabhi <sbhaloth> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | rhgs-3.1 | CC: | annair, mmalik, nlevinki, pprakash, rcyriac, rjoseph, sbhaloth, vagarwal | ||||
Target Milestone: | --- | ||||||
Target Release: | RHGS 3.1.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | core | ||||||
Fixed In Version: | selinux-policy-3.7.19-279.el6_7.4 | Doc Type: | Known Issue | ||||
Doc Text: |
As per the bug, the Active directory integration of samba and gluster will fail and you will see the AVC denial's for nmb,winbind and smbd processes.
In order to rectify the problem please use the workaround mentioned below.
Step 1:
# cat bz1240198.te
policy_module(bz1240198,1.1)
require {
type nmbd_t;
type smbd_t;
type winbind_var_run_t;
type smbd_var_run_t;
type winbind_t;
type nmbd_var_run_t;
}
manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file })
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file })
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file })
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
allow nmbd_t nmbd_var_run_t:sock_file { create unlink };
allow nmbd_t smbd_var_run_t:file { write read lock create unlink open };
allow nmbd_t smbd_var_run_t:sock_file { create unlink };
Step 2:
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted bz1240198 module
/usr/bin/checkmodule: loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
Step 3:
# semodule -i bz1240198.pp
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 1241360 1241361 (view as bug list) | Environment: | |||||
Last Closed: | 2015-08-10 07:44:28 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1241360 | ||||||
Bug Blocks: | 1212796, 1216951 | ||||||
Attachments: |
|
Description
surabhi
2015-07-06 07:49:05 UTC
Created attachment 1048690 [details]
AVC's for winbind and nmb
Moving back to modified, the bz was moved to on_qa by the errata tool. Step 1: # cat bz1240198.te policy_module(bz1240198,1.1) require { type nmbd_t; type smbd_t; type winbind_var_run_t; type smbd_var_run_t; type winbind_t; type nmbd_var_run_t; } manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file }) files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file }) filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file }) manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) allow nmbd_t nmbd_var_run_t:sock_file { create unlink }; allow nmbd_t smbd_var_run_t:file { write read lock create unlink open }; allow nmbd_t smbd_var_run_t:sock_file { create unlink }; Step 2: # make -f /usr/share/selinux/devel/Makefile Compiling targeted bz1240198 module /usr/bin/checkmodule: loading policy configuration from tmp/bz1240198.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/bz1240198.mod Creating targeted bz1240198.pp policy package rm tmp/bz1240198.mod tmp/bz1240198.mod.fc Step 3: # semodule -i bz1240198.pp With selinux-policy-3.7.19-279.el6_7.2 and selinux-policy-3.7.19-279.el6_7.3, the windows AD setup works fine and domain user is able to login. there is only one AVC seen related to sshd which is reported in the RHEL selinux-policy BZ https://bugzilla.redhat.com/show_bug.cgi?id=1250066. All the AVC's are fixed and no issues seen with ad setup and domain user login with selinux-policy-targeted-3.7.19-279.el6_7.4.noarch selinux-policy-3.7.19-279.el6_7.4.noarch Already verified with above policy. Moving the bz to verified. the fixed in version needs to be updated. |