Bug 233625

Summary: SELinux prevents winbindd to access NIS and stops.
Product: Red Hat Enterprise Linux 4 Reporter: Jose Plans <jplans>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: jplans, samba-bugs-list
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0741 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-15 16:07:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux prevents to create folder /var/log/samba/cores/winbindd (scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t) none

Description Jose Plans 2007-03-23 14:32:27 UTC 
Description of problem:

Winbindd seems to be denied of access to NIS by SELinux policy Enforced.
The below messages were generated on policy Permissive.

winbind: winbindd startup succeeded
kernel: audit(1160051253.446:3251): avc:  denied  { search } for  pid=5641
comm="winbindd" name="yp" dev=dm-4 ino=540673 scontext=root:system_r:winbind_t
tcontext=system_u:object_r:var_yp_t tclass=dir
kernel: audit(1160051253.668:3252): avc:  denied  { read } for  pid=5641
comm="winbindd" name="linuxnis.2" dev=dm-4 ino=540679
scontext=root:system_r:winbind_t tcontext=user_u:object_r:var_yp_t tclass=file
kernel: audit(1160051253.895:3253): avc:  denied  { name_bind } for  pid=5641
comm="winbindd" src=729 scontext=root:system_r:winbind_t
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
kernel: audit(1160051286.563:3254): avc:  denied  { unlink } for  pid=5641
comm="winbindd" name="pipe" dev=dm-4 ino=933912 scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_log_t tclass=sock_file
kernel: audit(1160051286.793:3255): avc:  denied  { create } for  pid=5641
comm="winbindd" name="pipe" scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_log_t tclass=sock_file

This happens when the customer has his nss configuration as follows :
/etc/nsswitch.conf

            service: files nis


Version-Release number of selected component (if applicable):
samba-3.0.10-1.4E.11
selinux-policy-targeted-1.17.30-2.140

How reproducible:
Starting Winbindd

Steps to Reproduce:
1. % service winbind start -or- % winbindd
  
Actual results:
SELinux prevents Winbindd to start.

Expected results:
Winbindd starts on Enforcing policy.

Additional info:
We have suggested the customer to not use the SELinux policies for
smbd/nmbd/winbindd as a workaround.

Let me know if you need anything else.
Comment 2 Daniel Walsh 2007-03-23 14:49:10 UTC 
Pleas turn on the allow_ypbind boolean.

setsebool -P allow_ypbind=1

Does this get it to work.
Comment 3 Jose Plans 2007-03-23 14:54:39 UTC 
Hi Dan,
  I believe we tried this already, let me come back to you with an answer.
  Setting NEEDINFO.
Jose
Comment 4 Jose Plans 2007-03-24 19:11:39 UTC 
allow_ypbind was already enabled and it didn't make any difference.
Comment 5 RHEL Program Management 2007-05-09 05:22:06 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Daniel Walsh 2007-07-03 15:09:35 UTC 
Fixed in 1.17.30-2.146
Comment 9 Josef Kubin 2007-08-13 16:42:26 UTC 
I can't reproduce it with noted steps.
selinux-policy-targeted-1.17.30-2.145.noarch

# /etc/init.d/auditd status
auditd (pid 23926) is running...

# getsebool -a | grep yp
allow_ypbind --> active
ypbind_disable_trans --> inactive

# grep 'files nis' /etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
hosts:      files nis dns
protocols:  files nis
services:   files nis
netgroup:   files nis
automount:  files nis

Is necessary to configure things more?
Comment 10 Josef Kubin 2007-10-17 00:13:11 UTC 
Created attachment 229341 [details]
SELinux prevents to create folder /var/log/samba/cores/winbindd (scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t)

It has been found in /var/log/audit/audit.log after start of winbindd.
Comment 11 Daniel Walsh 2007-10-17 00:37:54 UTC 
Fixed in selinux-policy-targeted-1_17_30-2_149

Needs to be set as blocker so I can build
Comment 15 errata-xmlrpc 2007-11-15 16:07:04 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0741.html