Bug 457893
| Summary: | selinux prevents winbindd to write into /etc/samba/secrets.tdb | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Ales Zelinka <azelinka> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.7 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-09-08 21:00:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Does # restorecon -R -v /etc/samba fix the problem (In reply to comment #1) > Does > # restorecon -R -v /etc/samba > > fix the problem Yes, it does. But is has to be run after the file is created by any of the samba utilities and before winbindd is started. Yes this problem is fixed in RHEL5 and all new Fedora updates, but right now we do not plan on fixing it in RHEL4. |
Description of problem: Selinux prevents winbind daemon from writing into /etc/samba/secrets.tdb if the file was not created by winbind itself. Winbind is only able to write into secrets.tdb if it is in samba_secrets_t selinux domain but it is usually created as samba_etc_t. Windind creates the file in the right domain (afaik thanks to this rule: type_transition winbind_t samba_etc_t : file samba_secrets_t;) Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.150.el4.noarch How reproducible: always Steps to Reproduce: 1.remove /etc/samba/secrets.tdb if it exists (it is not owned by any package, so it should not exist on a freshly installed system) 2. let the file be recreated by any application but winbindd: (smbpasswd -a username, pdbedit -L, service smb start, net [rpc|ads] join, ...) 3. try to start winbind service Actual results: "service winbind start" succeeds BUT: - winbind exits almost immediately with this in /var/log/samba/winbindd.log: [2008/08/05 10:59:12, 0] passdb/secrets.c:secrets_init(67) Failed to open /etc/samba/secrets.tdb [2008/08/05 10:59:12, 0] nsswitch/winbindd.c:main(1010) Could not initialize domain trust account secrets. Giving up - audit.log: type=AVC msg=audit(1217948520.970:287): avc: denied { write } for pid=593 comm="winbindd" name="secrets.tdb" dev=dm-0 ino=99170 scontext=root:system_r:winbind_t tcontext=root:object_r:samba_etc_t tclass=file type=SYSCALL msg=audit(1217948520.970:287): arch=40000003 syscall=5 success=no exit=-13 a0=bfe9e720 a1=8042 a2=180 a3=8042 items=1 pid=593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="winbindd" exe="/usr/sbin/winbindd" type=CWD msg=audit(1217948520.970:287): cwd="/" type=PATH msg=audit(1217948520.970:287): name="/etc/samba/secrets.tdb" flags=310 inode=1083053 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 Expected results: winbind is able to write to /etc/samba/secrets.tdb without the need for workaround/manual checking/changing the selinux domain of secrets.tdb. Additional info: workaround - one of: - let winbind create the file - restorecon -R -v /etc/samba/secrets.tdb