Bug 428009

Summary: tools don't work when selinux is enabled
Product: [Fedora] Fedora EPEL Reporter: Gordon Messmer <gordon.messmer>
Component: smbldap-toolsAssignee: Paul Howarth <paul>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: el5CC: dwalsh, mastahnke
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: ActualBug
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-27 13:28:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gordon Messmer 2008-01-08 17:22:29 UTC 
Description of problem:
When SELinux is enforcing, the smb server is restricted in what programs it can
execute, controlled by the samba_domain_controller boolean.  If that boolean is
on, then smbd can execute binaries with the context groupadd_exec_t,
useradd_exec_t, and passwd_exec_t.

It would help if the smbldap-tools package came with a policy file that set its
script contexts:
/etc/selinux/targeted/contexts/files/smbldap-tools:
/usr/sbin/smbldap-group.*    system_u:object_r:groupadd_exec_t:s0
/usr/sbin/smbldap-user.*    system_u:object_r:useradd_exec_t:s0
/usr/sbin/smbldap-passwd    system_u:object_r:passwd_exec_t:s0

Version-Release number of selected component (if applicable):
0.9.4-1
Comment 1 Paul Howarth 2008-01-08 17:42:58 UTC 
Wouldn't be better just to get this added to selinux-policy?

I'll add Dan Walsh as a Cc and see if he agrees.
Comment 2 Daniel Walsh 2008-01-08 18:26:13 UTC 
Well not really since these apps are going to comunicate with LDAP to do the
useradd, groupadd stuff.

useradd_t/groupadd_t can not talk to ldap.

So this is better to stay in the smbd_t domain and connect to LDAP.
Comment 3 Gordon Messmer 2008-01-08 19:13:09 UTC 
That doesn't address the problem that SELinux won't let smbd_t execute those
scripts.

Should I, then, replace all of the above contexts with
samba_unconfined_script_exec_t ?

semanage fcontext -a -t samba_unconfined_script_exec_t "/usr/sbin/smbldap.*"
Comment 4 Daniel Walsh 2008-01-08 19:27:24 UTC 
Ok then we need to allow samba to execute the scripts

corecmd_exec_bin(smbd_t)

When the boolean is set?
Comment 5 Daniel Walsh 2008-01-08 19:29:16 UTC 
Current selinux-policy has corecmd_exec_bin(smbd_t)


So what avc messages are you getting?
Comment 6 Gordon Messmer 2008-01-18 23:16:29 UTC 
I get these:

type=AVC msg=audit(1200697365.287:115): avc:  denied  { execute } for  pid=3658
comm="sh" name="smbldap-useradd" dev=sda1 ino=340100
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1200697365.287:115): arch=c000003e syscall=59 success=no
exit=-13 a0=4a1a2e0 a1=4a1a490 a2=4a1a310 a3=8 items=0 ppid=3657 pid=3658
auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1200697365.287:116): avc:  denied  { getattr } for  pid=3658
comm="sh" path="/usr/sbin/smbldap-useradd" dev=sda1 ino=340100
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1200697365.287:116): arch=c000003e syscall=4 success=no
exit=-13 a0=4a1a2e0 a1=7fff24690e30 a2=7fff24690e30 a3=8 items=0 ppid=3657
pid=3658 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0
key=(null)
type=AVC msg=audit(1200697365.287:117): avc:  denied  { getattr } for  pid=3658
comm="sh" path="/usr/sbin/smbldap-useradd" dev=sda1 ino=340100
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1200697365.287:117): arch=c000003e syscall=4 success=no
exit=-13 a0=4a1a2e0 a1=7fff24690d60 a2=7fff24690d60 a3=8 items=0 ppid=3657
pid=3658 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0
key=(null)

# getsebool -a | grep samba
samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
# getenforce 
Enforcing
Comment 7 Daniel Walsh 2008-01-21 20:01:30 UTC 
sbin_t does not exist in Fedora 8.
Comment 8 Paul Howarth 2008-01-30 13:06:37 UTC 
Fedora 8 would also show a samba_run_unconfined boolean in the getsebool output.

Are you actually running RHEL5 or a clone thereof?
Comment 9 Gordon Messmer 2008-02-05 02:34:31 UTC 
I am: Centos 5.

I thought I filed this against rhel5, and mentioned the platform in the
description.  I can only assume that I'm losing my mind, since I failed to do
both.  I'm terribly sorry for that.
Comment 10 Paul Howarth 2008-02-06 15:17:13 UTC 
Short term, this is going to need a local policy module to add

corecmd_exec_bin(smbd_t)

and maybe other things (you'll probably need to experiment a bit).

Dan, is this sort of problem likely to be addressed in RHEL 5.2 or is the update
policy for RHEL too conservative to allow that?
Comment 11 Daniel Walsh 2008-02-06 20:36:27 UTC 
U2 policy is currently available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

Looks like it has corecmd_exec_bin(smbd_t)
Comment 12 Paul Howarth 2009-03-19 16:16:44 UTC 
Does the 5.2 or 5.3 policy fix your issues Gordon?
Comment 13 Paul Howarth 2009-04-23 14:46:37 UTC 
Ping?
Comment 14 Paul Howarth 2009-08-27 13:28:48 UTC 
No response from reporter, assumed fixed.