Bug 237762
| Summary: | AVC denial on "net groupmap add" command | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Markku Kolkka <markku.kolkka> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6 | CC: | shaikomer |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 2.4.6-72.fc6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-05-29 09:38:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Same results with selinux-policy-2.4.6-69.fc6:
avc: denied { write } for comm="net" dev=dm-0 egid=0 euid=0 exe="/usr/bin/net"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="passdb.tdb" pid=32123
scontext=user_u:system_r:samba_net_t:s0 sgid=0
subj=user_u:system_r:samba_net_t:s0 suid=0 tclass=file
tcontext=user_u:object_r:samba_etc_t:s0 tty=pts2 uid=0
You can fix this by the following command. chcon -t samba_secrets_t /etc/samba/passdb.tdb I will fix the file context in selinux-policy-2.4.6-71 iam running Red Hat Enterprise Sever 5.0 and iam trying to install websphere 6.1 i got this error could plz guide me to fix the problem even i run the command set sebool -p allow_execmod=1 allow_execstack=1 allow_execmem=1 didn't work any help will be appricated repository/package.java.jre/java/jre/bin/libj9jit23.so which requires text relocation.Detailed DescriptionThe /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/java application attempted to load /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so to use relocation as a workaround, until the library is fixed. Please file a bug report against this package.Allowing AccessIf you trust /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so"The following command will allow this access:chcon -t textrel_shlib_t /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.soAdditional InformationSource Context: root:system_r:unconfined_t:SystemLow-SystemHighTarget Context: root:object_r:etc_runtime_tTarget Objects: /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so [ file ]Affected RPM Packages: Policy RPM: selinux-policy-2.4.6-30.el5Selinux Enabled: TruePolicy Type: targeted First run restorecon -R -v /web You can turn off the execmod checking by executing # setsebool -P allow_execmod 1 Or you could change all the so files under /web to be textrel_shlib_t # semanage fcontext -t textrel_shlib_t '/web/JDK/jre.pak/.*so' # restorecon -R -v /web my problem is solved and iam able to install the websphere server 6.1 on Red hat Enterprise 5.0 this first command is work for me its great help and i appriciated #restorecon -r -v /web #setsebool -P allow_execmod 1 once again thanks for ur help Mr.dwalsh |
Description of problem: Using the "net groupmap add" command to map a Linux group with a Windows group results in error messages and AVC denial messages. However, the mapping appears to be created correctly. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-57.fc6 How reproducible: always Steps to Reproduce: 1. groupadd testing 2. net groupmap add unixgroup=testing ntgroup='Test Group 1' type=domain Actual results: Error messages: [2007/04/25 12:50:39, 0] passdb/pdb_tdb.c:tdbsam_open(818) tdbsam_open: Failed to open/create TDB passwd [/etc/samba/passdb.tdb] [2007/04/25 12:50:39, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(1095) tdbsam_getsampwnam: failed to open /etc/samba/passdb.tdb! AVC message: avc: denied { write } for comm="net" dev=dm-0 egid=0 euid=0 exe="/usr/bin/net" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="passdb.tdb" pid=12388 scontext=user_u:system_r:samba_net_t:s0 sgid=0 subj=user_u:system_r:samba_net_t:s0 suid=0 tclass=file tcontext=user_u:object_r:samba_etc_t:s0 tty=pts3 uid=0 Expected results: Success message: Got RID 1031 Successfully added group Test Group 1 to the mapping db as a domain group Additional info: