Bug 164252
Summary: | SElinux targeted policy disallows execution of net command from samba-common | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tomasz Ostrowski <tometzky+redhat> | ||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 4 | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | 1.25.3-9 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2005-08-19 07:49:32 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Tomasz Ostrowski
2005-07-26 10:29:07 UTC
Created attachment 117184 [details]
audit.log messages when issuing "net" command as root and as normal user
Sorry for the missing avc messages comment - I've missed audit.log change in
release notes.
This are messages added to audit.log when issuing "net" command as root and as
normal user. Strangely audit2allow and audit2why do not produce any output on
this .
This looks like you have a policy mismatch. Do you have selinux-policy-targeted-sources installed. If yes please execute make -C /etc/selinux/targeted/src/policy reload And see if the problem goes away. Dan Created attachment 117191 [details] Output of "make -C /etc/selinux/targeted/src/policy reload" I do have selinux-policy-targeted-sources installed but "make -C /etc/selinux/targeted/src/policy reload" did not help. I've tried to reinstall selinux-policy-targeted-sources with "rpm -Uvh --force" - no luck. I've rebooted - no luck. I have two lines added to /etc/selinux/targeted/src/policy/domains/misc/local.te: allow smbd_t smbd_port_t:tcp_socket name_connect; allow smbd_t tmp_t:file { read getattr lock unlink }; First is a workaround for bug #164254 the other is for allowing samba to read /tmp (it can write but it cannot read - strange - I think I'll report another bug...). Everything else is unchanged: #rpm -V selinux-policy-targeted selinux-policy-targeted-sources .......T. /etc/selinux/targeted/contexts/customizable_types ..5....T. c /etc/selinux/targeted/contexts/files/file_contexts S.5....T. c /etc/selinux/targeted/contexts/files/file_contexts.homedirs .......T. c /etc/selinux/targeted/contexts/files/homedir_template .......T. /etc/selinux/targeted/contexts/port_types S.5....T. /etc/selinux/targeted/policy/policy.19 .......T. c /etc/selinux/targeted/users/system.users S.5....T. c /etc/selinux/targeted/src/policy/domains/misc/local.te .......T. c /etc/selinux/targeted/src/policy/file_contexts/homedir_template ..?...... c /etc/selinux/targeted/src/policy/file_contexts/program/groupadd.fc I do have home directories in /var/home instead of /var though. They do have correct contexts. These are files in /etc/selinux that are not owned by selinux-policy packages: #find /etc/selinux -type f | xargs rpm -qf | egrep -v '^selinux-policy-targeted(-sources)?-1\.25\.2-4$' file /etc/selinux/targeted/src/policy/tmp/program_used_flags.te is not owned by any package file /etc/selinux/targeted/src/policy/tmp/load is not owned by any package I'm attaching the output of "make -C /etc/selinux/targeted/src/policy reload" after "make -C /etc/selinux/targeted/src/policy clean". So after doing this the net command still blows up with that error? Dan Yes. Only timestamps, "a0", "a1", "a2" and "pid" change. Fixed in selinux-policy-targetd-1.25.3-9 |