Bug 229466
Summary: | SELinux prevents automatic addition of machine accounts in a Samba PDC | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Markku Kolkka <markku.kolkka> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 2.4.6-69 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-05-29 10:04:55 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 235360 | ||||||
Attachments: |
|
Description
Markku Kolkka
2007-02-21 12:04:37 UTC
Please grab the avc messages from /var/log/audit/audit.log or /var/log/messages. The message while in enforcing mode: avc: denied { search } for comm="smbd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bin" pid=2748 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 In permissive mode: avc: denied { lock } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=".pwd.lock" path="/etc/.pwd.lock" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:shadow_t:s0 tty=(none) uid=0 avc: denied { write } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=5 fsgid=0 fsuid=0 gid=0 items=0 name="passwd.2926" path="/etc/passwd.2926" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { read } for comm="adduser" dev=dm-2 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="useradd" path="/usr/sbin/useradd" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:useradd_exec_t:s0 tty=(none) uid=0 avc: denied { create } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=6 fsgid=0 fsuid=0 gid=0 items=0 name="passwd.2926" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { read, write } for comm="adduser" dev=dm-3 egid=0 euid=0 exe="/usr/sbin/useradd" exit=10 fsgid=0 fsuid=0 gid=0 items=0 name="faillog" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:faillog_t:s0 tty=(none) uid=0 avc: denied { read, write } for comm="adduser" dev=dm-3 egid=0 euid=0 exe="/usr/sbin/useradd" exit=10 fsgid=0 fsuid=0 gid=0 items=0 name="lastlog" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:lastlog_t:s0 tty=(none) uid=0 avc: denied { unlink } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { setattr } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd-" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { create } for comm="adduser" egid=0 euid=0 exe="/usr/sbin/useradd" exit=6 fsgid=0 fsuid=0 gid=0 items=0 name="passwd+" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { setattr } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd+" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 Created attachment 148597 [details]
Try this policy package.
Save this attachment to a directory my itself and name it mysamba.te
Install selinux-policy-devel
# yum -y install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysamba.pp
Now try samba in enforcing mode and see if it works. I will update fc6 with
this policy if it does.
After installing the above policy package joining the domain works, but with a SELinux message: SELinux is preventing /usr/sbin/useradd (useradd_t) "append" to /var/log/samba/smbd.log (samba_log_t). avc: denied { append } for comm="adduser" dev=dm-3 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="smbd.log" path="/var/log/samba/smbd.log" pid=2588 scontext=system_u:system_r:useradd_t:s0 sgid=0 subj=system_u:system_r:useradd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0 Fixed in selinux-policy-2.4.6-46 I can't test joining machines at the moment, but selinux-policy-2.4.6-46 breaks user management with User Manager for Domains. Adding or deleting users causes SELinux denials, and probably the same would happen with machine accounts. avc: denied { search } for comm="smbd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bin" pid=3068 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 Fixed in selinux-policy-2.4.6-48 With selinux-policy-targeted-2.4.6-49.fc6 User Manager for Domains remains broken, but the error has changed. Trying to add a new user gives: avc: denied { read } for comm="smbd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="sh" pid=3059 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=lnk_file tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 Fixed in selinux-policy-2.4.6-52 I tested again joining machines to the domain with selinux-policy-targeted-2.4.6-54.fc6 and it still doesn't work. The denial messages keep changing with each version but the final result remains the same. This time the message is: avc: denied { read } for comm="sh" dev=dm-2 egid=0 euid=0 exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="adduser" pid=2710 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=lnk_file tcontext=system_u:object_r:sbin_t:s0 tty=(none) uid=0 If you add that this allow rule using grep smbd_t /var/log/audit/audit.log | audit2allow -M mysamba semodule -i mysamba.pp Does it work? If not, try setenforce 0 and gather all the AVC messages. We have tested this on FC7/Rawhide and it is working now. I will add a rule to allow this in the next build, but I want to fix this. > grep smbd_t /var/log/audit/audit.log | audit2allow -M mysamba
> semodule -i mysamba.pp
Yes, this worked.
Fixed in selinux-policy-2.4.6-69 |