Bug 428009
Summary: | tools don't work when selinux is enabled | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Gordon Messmer <gordon.messmer> |
Component: | smbldap-tools | Assignee: | Paul Howarth <paul> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | el5 | CC: | dwalsh, mastahnke |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ActualBug | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-08-27 13:28:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gordon Messmer
2008-01-08 17:22:29 UTC
Wouldn't be better just to get this added to selinux-policy? I'll add Dan Walsh as a Cc and see if he agrees. Well not really since these apps are going to comunicate with LDAP to do the useradd, groupadd stuff. useradd_t/groupadd_t can not talk to ldap. So this is better to stay in the smbd_t domain and connect to LDAP. That doesn't address the problem that SELinux won't let smbd_t execute those scripts. Should I, then, replace all of the above contexts with samba_unconfined_script_exec_t ? semanage fcontext -a -t samba_unconfined_script_exec_t "/usr/sbin/smbldap.*" Ok then we need to allow samba to execute the scripts corecmd_exec_bin(smbd_t) When the boolean is set? Current selinux-policy has corecmd_exec_bin(smbd_t) So what avc messages are you getting? I get these: type=AVC msg=audit(1200697365.287:115): avc: denied { execute } for pid=3658 comm="sh" name="smbldap-useradd" dev=sda1 ino=340100 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=SYSCALL msg=audit(1200697365.287:115): arch=c000003e syscall=59 success=no exit=-13 a0=4a1a2e0 a1=4a1a490 a2=4a1a310 a3=8 items=0 ppid=3657 pid=3658 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1200697365.287:116): avc: denied { getattr } for pid=3658 comm="sh" path="/usr/sbin/smbldap-useradd" dev=sda1 ino=340100 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=SYSCALL msg=audit(1200697365.287:116): arch=c000003e syscall=4 success=no exit=-13 a0=4a1a2e0 a1=7fff24690e30 a2=7fff24690e30 a3=8 items=0 ppid=3657 pid=3658 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1200697365.287:117): avc: denied { getattr } for pid=3658 comm="sh" path="/usr/sbin/smbldap-useradd" dev=sda1 ino=340100 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=SYSCALL msg=audit(1200697365.287:117): arch=c000003e syscall=4 success=no exit=-13 a0=4a1a2e0 a1=7fff24690d60 a2=7fff24690d60 a3=8 items=0 ppid=3657 pid=3658 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0 key=(null) # getsebool -a | grep samba samba_domain_controller --> on samba_enable_home_dirs --> on samba_export_all_ro --> off samba_export_all_rw --> off samba_share_nfs --> off use_samba_home_dirs --> off # getenforce Enforcing sbin_t does not exist in Fedora 8. Fedora 8 would also show a samba_run_unconfined boolean in the getsebool output. Are you actually running RHEL5 or a clone thereof? I am: Centos 5. I thought I filed this against rhel5, and mentioned the platform in the description. I can only assume that I'm losing my mind, since I failed to do both. I'm terribly sorry for that. Short term, this is going to need a local policy module to add corecmd_exec_bin(smbd_t) and maybe other things (you'll probably need to experiment a bit). Dan, is this sort of problem likely to be addressed in RHEL 5.2 or is the update policy for RHEL too conservative to allow that? U2 policy is currently available on http://people.redhat.com/dwalsh/SELinux/RHEL5 Looks like it has corecmd_exec_bin(smbd_t) Does the 5.2 or 5.3 policy fix your issues Gordon? Ping? No response from reporter, assumed fixed. |