Bug 152549
| Summary: | start of winbind fails, because SELinux targeted policy doesnt allow file creation | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Niels Happel <nhappel> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | leonard-rh-bugzilla, philipp.gantert |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-03-30 15:18:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is a bug in selinux-policy-targeted, not Samba, so I'm redirecting to the correct maintainers. This will be fixed in the Targeted policy in U1. Until U1, you can work around it by putting SELinux in advisory mode (turning off enforcing mode) before starting winbindd. If you start winbindd with SELinux disabled, you may have to relabel the filesystem /var/log/samba is on. (the easiest way is to touch /.autorelabel and reboot.) You can try out the U1 policy, at ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted, policycoreutils} *** Bug 175923 has been marked as a duplicate of this bug. *** |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322 Firefox/1.0.2 Red Hat/1.0.2-1.4.1 Description of problem: The first start of winbind fails, because the SELinux targeted policy doesn´t allow the creation of /var/cache/samba/*.tdb and /var/log/samba/winbind.log. Restarting the service will produce the same error messages. For better explaination take a look at /var/log/messages: Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc: denied { create } for pid=3906 exe=/usr/sbin/winbindd name=gencache.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc: denied { create } for pid=3906 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc: denied { create } for pid=3906 exe=/usr/sbin/winbindd name=winbindd.log scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t tclass=file Mar 29 19:41:04 rhas4-1 last message repeated 5 times Mar 29 19:41:04 rhas4-1 winbind: Starten von winbindd succeeded Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.515:0): avc: denied { create } for pid=3907 exe=/usr/sbin/winbindd name=messages.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.515:0): avc: denied { create } for pid=3907 exe=/usr/sbin/winbindd name=winbindd.log scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t tclass=file Mar 29 19:41:04 rhas4-1 last message repeated 3 times Version-Release number of selected component (if applicable): samba-3.0.10-1.4E How reproducible: Always Steps to Reproduce: 1.properly configure /etc/samba/smb.conf 2./etc/rc.d/init.d/winbind start 3.take a look at /var/log/messages 4. try to restart winbind Actual Results: winbind won´t start. Expected Results: it should start and be able to create it´s .log and .tdb files. Additional info: Workarounded it by disabling SELinux.