Bug 552700

Summary: SELinux is preventing /usr/sbin/nmbd "open" access on /var/run/nmbd.pid.
Product: [Fedora] Fedora Reporter: Slawomir Czarko <slawomir.czarko>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:778553586bc0c0f36ea95ead6eeed272b99a417f14b38d54a6b74e3f3154b1d8
Fixed In Version: 3.6.32-69.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-19 19:41:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Slawomir Czarko 2010-01-05 21:56:01 UTC 
Summary:

SELinux is preventing /usr/sbin/nmbd "open" access on /var/run/nmbd.pid.

Detailed Description:

SELinux denied access requested by nmbd. It is not expected that this access is
required by nmbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:swat_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:nmbd_var_run_t:s0
Target Objects                /var/run/nmbd.pid [ file ]
Source                        swat
Source Path                   /usr/sbin/swat
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-3.4.2-47.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-63.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.9-174.fc12.i686.PAE
                              #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 athlon
Alert Count                   2
First Seen                    Tue 05 Jan 2010 22:54:40 CET
Last Seen                     Tue 05 Jan 2010 22:54:40 CET
Local ID                      e94d57ea-8821-4c52-82ac-157d77795cc4
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1262728480.648:193298): avc:  denied  { open } for  pid=11533 comm="nmbd" name="nmbd.pid" dev=dm-19 ino=41091 scontext=system_u:system_r:swat_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nmbd_var_run_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1262728480.648:193298): arch=40000003 syscall=5 success=no exit=-13 a0=22e2188 a1=8800 a2=0 a3=22e2090 items=0 ppid=1 pid=11533 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=system_u:system_r:swat_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-63.fc12,catchall,swat,swat_t,nmbd_var_run_t,file,open
audit2allow suggests:

#============= swat_t ==============
allow swat_t nmbd_var_run_t:file open;
Comment 1 Daniel Walsh 2010-01-05 22:03:27 UTC 
Miroslav, 

This looks like swat needs to transition to nmbd

samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;

Probably needed for F11 and F12
Comment 2 Miroslav Grepl 2010-01-06 12:56:56 UTC 
Fixed in 
selinux-policy-3.6.32-67.fc12.noarch 
selinux-policy 3.6.12-93.fc11.noarch
Comment 3 Fedora Update System 2010-01-12 23:27:40 UTC 
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0362
Comment 4 Fedora Update System 2010-01-19 19:40:31 UTC 
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.