Bug 662677

Summary: programs resolving a NetBIOS name can't access /var/cache/samba/unexpected.tdb
Product: Red Hat Enterprise Linux 5 Reporter: Ales Zelinka <azelinka>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-301.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 09:21:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 640580    

Description Ales Zelinka 2010-12-13 15:35:02 UTC
Description of problem: When samba's WINS server is integrated to NSS then programs resolving a NetBIOS name try to access /var/cache/samba/unexpected.tdb and selinux denies it:

time->Sun Dec 12 20:16:16 2010
type=SYSCALL msg=audit(1292202976.590:472): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab279b0 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1292202976.590:472): avc:  denied  { read } for  pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file
----
time->Sun Dec 12 20:16:16 2010
type=SYSCALL msg=audit(1292202976.680:473): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab28e10 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1292202976.680:473): avc:  denied  { read } for  pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file
----
time->Sun Dec 12 20:16:16 2010
type=SYSCALL msg=audit(1292202976.770:474): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab28e10 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1292202976.770:474): avc:  denied  { read } for  pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file
Fail: AVC messages found.


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-299.el5

How reproducible:
always

Steps to Reproduce:
1. setup & start wins server
2. integrate wins server to NSS via nsswitch.conf
3. ping NetBIOS name
  
Actual results:
AVC (the name resolution succeeds)

Expected results:
no AVC

Comment 1 Daniel Walsh 2010-12-13 15:44:44 UTC
RHEL6 has


	optional_policy(`
		samba_stream_connect_winbind($1)
		samba_read_var_files($1)
		samba_dontaudit_write_var_files($1)
	')

In auth_use_nsswitch

Comment 2 RHEL Program Management 2011-01-11 20:23:51 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 3 RHEL Program Management 2011-01-12 15:09:09 UTC
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.

Comment 5 Miroslav Grepl 2011-03-01 17:12:10 UTC
Fixed in selinux-policy-2.4.6-301.el5

Comment 8 errata-xmlrpc 2011-07-21 09:21:26 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Comment 9 errata-xmlrpc 2011-07-21 11:50:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html