Bug 172685

Summary: Policy update breaks ntlm_auth
Product: Red Hat Enterprise Linux 4 Reporter: Phil Mayers <p.mayers>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: poelstra
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 4.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-19 01:56:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Phil Mayers 2005-11-08 12:27:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
The update to 2.110 targeted policy adds an application domain for "ntlm_auth", but fails to correctly permit access to /var/cache/samba - thus breaking usage of ntlm_auth

audit(1131450469.728:0): avc:  denied  { search } for  pid=23359 comm=ntlm_auth name=samba dev=dm-0 ino=8553559 scontext=root:system_r:winbind_helper_t tcontext=system_u:object_r:samba_var_t tclass=dir

[root@radius1 policy]# find /var/cache/samba -inum 8553559
/var/cache/samba
[root@radius1 samba]# ll -Za
drwxr-xr-x  root     root     system_u:object_r:samba_var_t    .
drwxr-xr-x  root     root     system_u:object_r:var_t          ..
drwxr-x---  root     squid    system_u:object_r:winbind_var_run_t winbindd_privileged

...and the appropriate bits of the application policy:

application_domain(winbind_helper, `, nscd_client_domain')
role system_r types winbind_helper_t;
allow winbind_t devpts_t:dir { search };
ifdef(`targeted_policy', `
allow winbind_t { devtty_t devpts_t }:chr_file { read write };
')
allow winbind_t admin_tty_type:chr_file { read write };
read_locale(winbind_helper_t)
r_dir_file(winbind_helper_t, samba_etc_t)
r_dir_file(winbind_t, samba_etc_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
can_winbind(winbind_helper_t)
allow winbind_helper_t privfd:fd use;

Note the missing "r_dir_file(winbind_helper_t, samba_var_t)"

Filing as "security" because the effect is to disable SELinux or weaken the policy protection.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.110

How reproducible:
Always

Steps to Reproduce:
1. Configure and use ntlm_auth
2. Update to policy 2.110
3. Broken
  

Actual Results:  It broke

Expected Results:  It should have worked

Additional info:

Comment 1 Daniel Walsh 2005-11-08 15:05:38 UTC
Fixed in U3 Policy

Snapshot available in 

ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3



Comment 2 Phil Mayers 2005-11-15 10:45:57 UTC
Ok. Any chance of an errata before U3? Or can we be sure that this policy will
update cleanly on our RHEL4 systems and also be updated when U3 comes out? Or
should I just give up and turn SELinux off?

Also: ntlm_auth is unable to write to the console in this policy, so you can't
run it interactively for testing or get the help output.

Comment 3 Daniel Walsh 2005-11-15 13:53:33 UTC
Yes people are decisions are being made on whether to erratta this or not.  This
polciy will upgrade fine on a RHEL4, since this policy or a newer version will
be U3 Policy.  

Comment 5 Phil Mayers 2005-12-05 17:17:38 UTC
I have just tested this. selinux-policy-targeted 1.17.30 release 2.120 did NOT
appear to fix the problem. In fact, the labels on the files and the policy seem
identical.

Comment 7 Daniel Walsh 2006-02-22 16:10:39 UTC
Policy in 2.126 should fix this problem.  You might need to relabel the directories.

Comment 12 Ben Levenson 2008-02-19 01:56:44 UTC
a fix for this was released in selinux-policy-targeted-1.17.30-2.140.
if you are still experiencing problems related to this bug, please reopen.