Bug 187986

Summary: SELinux (FC5) prevents joining Active Directory (net ads join fails)
Product: [Fedora] Fedora Reporter: Bernard Bou <bbou>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 15:01:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bernard Bou 2006-04-05 05:09:21 UTC
Description of problem:
Cannot join Active directory under SELINUX (FC5)
net ads join fails if policy is enforced

Version-Release number of selected component (if applicable):
Fedora Core 5, selinux-policy-targeted-2.2.25-3.fc5

How reproducible:
Always

Steps to Reproduce:
1.Configure Kerberos so that host can interact with kerberos domain
2.Configure smb.conf
3.net ads join -U administrator%pass
  
Actual results:
join fails with "ads_startup: Transport endpoint is not connected"
avc reports name_connect to ldap port denied and denied writing and locking of
gencache.tdb

Expected results:
successful joining


Additional info:
Logs report the following:
Apr  3 17:09:57 ebony kernel: audit(1144076997.956:357): avc:  denied  { write }
for  pid=7046 comm="net" name="gencache.tdb" dev=hdb9 ino=1199978
scontext=root:system_r:samba_net_t:s0-s0:c0.c255
tcontext=root:object_r:samba_var_t:s0 tclass=file
Apr  3 17:09:57 ebony kernel: audit(1144076997.956:358): avc:  denied  { lock }
for  pid=7046 comm="net" name="gencache.tdb" dev=hdb9 ino=1199978
scontext=root:system_r:samba_net_t:s0-s0:c0.c255
tcontext=root:object_r:samba_var_t:s0 tclass=file
Apr  3 17:09:58 ebony kernel: audit(1144076998.451:359): avc:  denied  {
name_connect } for  pid=7117 comm="net" dest=389
scontext=root:system_r:samba_net_t:s0-s0:c0.c255
tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

which makes sense as 'net ads join' involves writing data to cache and involves
an LDAP connection to the domain controller.

Audit2allow yield:
allow samba_net_t ldap_port_t:tcp_socket name_connect;
allow samba_net_t samba_var_t:file { lock write };

If we compare (through apol) what has changed from policy.19 to policy.20, we
get the following, which shows that the required permissions have been removed :

policy.19 (FC4)
---------------
(133911) allow samba_net_t ldap_port_t : tcp_socket { send_msg recv_msg }; 
(133939) allow samba_net_t ldap_port_t : tcp_socket name_connect; 

(133576) allow samba_net_t samba_var_t : dir { read getattr lock search ioctl }; 
(133681) allow samba_net_t samba_var_t : dir { read getattr lock search ioctl
add_name remove_name write }; 
(133578) allow samba_net_t samba_var_t : file { read getattr lock ioctl }; 
(133683) allow samba_net_t samba_var_t : file { create ioctl read getattr lock
write setattr append link unlink rename }; 
(133580) allow samba_net_t samba_var_t : lnk_file { getattr read }; 
(133685) allow samba_net_t samba_var_t : lnk_file { create read getattr setattr
link unlink rename }; 

policy.20(FC5)
--------------
allow samba_net_t ldap_port_t : tcp_socket { recv_msg send_msg }; 

allow samba_net_t samba_var_t : dir { ioctl read write getattr lock add_name
remove_name search }; 
allow samba_net_t samba_var_t : file { read create getattr setattr unlink link
rename }; 
allow samba_net_t samba_var_t : lnk_file { read create getattr setattr unlink
link rename };

Comment 1 Daniel Walsh 2006-04-14 13:30:44 UTC
fixed in selinux-policy-2.2.32-1.FC5.

Comment 4 Daniel Walsh 2006-05-05 15:01:40 UTC
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed