Bug 452082

Summary: winbindd is denied write access to secrets.tdb
Product: Red Hat Enterprise Linux 4 Reporter: Petr Šplíchal <psplicha>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CANTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 4.6CC: dwalsh, ohudlick
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-23 10:38:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Šplíchal 2008-06-19 08:30:48 UTC 
After joining a domain (net rpc join) winbind is unable to start because it is
denied to access /etc/samba/secrets.tdb.

Tested with:
selinux-policy-targeted-1.17.30-2.149.noarch
samba-3.0.28-0.el4.5.s390

Related RHTS Job:
http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=24007

/var/log/samba/winbindd.log:
[2008/06/19 04:15:31, 0] passdb/secrets.c:secrets_init(67)
  Failed to open /etc/samba/secrets.tdb
[2008/06/19 04:15:31, 0] nsswitch/winbindd.c:main(1010)
  Could not initialize domain trust account secrets. Giving up

/var/log/audit/audit.log:
type=AVC msg=audit(1213863331.771:20): avc:  denied  { write } for  pid=29943
comm="winbindd" name="secrets.tdb" dev=dm-0 ino=1590762
scontext=root:system_r:winbind_t tcontext=root:object_r:samba_etc_t tclass=file

type=SYSCALL msg=audit(1213863331.771:20): arch=80000016 syscall=5 success=no
exit=-13 a0=7fffef08 a1=8042 a2=180 a3=f7ddedb2 items=1 pid=29943
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="winbindd" exe="/usr/sbin/winbindd"

type=CWD msg=audit(1213863331.771:20):  cwd="/"

type=PATH msg=audit(1213863331.771:20): name="/etc/samba/secrets.tdb" flags=310
 inode=1590760 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
Comment 1 Daniel Walsh 2008-06-22 11:57:23 UTC 
If you run restorecon /etc/samba/* 

Does it fix the problem?
Comment 2 Petr Šplíchal 2008-06-23 10:12:37 UTC 
Yes, using restorecon helped.
Comment 3 Daniel Walsh 2008-06-23 10:38:51 UTC 
Not sure how this got mislabeled, you can try to use restorecond if you would
like to watch this file and maintain it's label.