Bug 667622

Summary: selinux doesn't allow samba utmp = yes
Product: Red Hat Enterprise Linux 6 Reporter: Phil Anderson <pza>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: dwalsh, gdeschner, mgrepl, mmalik, prc
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-69.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 667692 (view as bug list) Environment:
Last Closed: 2011-05-19 11:57:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 667692    

Description Phil Anderson 2011-01-06 09:30:37 UTC 
Description of problem:
When utmp = yes is set in smb.conf, samba records sessions in utmp/wtmp.  This isn't allowed by the selinux policy.  

I believe this can be fixed by:
allow smbd_t wtmp_t:file write;


audit2allow suggests setting samba_export_all_rw, but that gives far more access than is necessary:
type=AVC msg=audit(1294294535.698:39523): avc:  denied  { write } for  pid=20019 comm="smbd" name="wtmp" dev=dm-2 ino=524299 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file
	Was caused by:
	The boolean samba_export_all_rw was set incorrectly. 
	Description:
	Allow samba to share any file/directory read/write.

	Allow access by executing:
	# setsebool -P samba_export_all_rw 1

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-54.el6_0.3.noarch
Comment 2 Miroslav Grepl 2011-01-06 12:43:31 UTC 
Phil,
could add your output of

# grep utmp /etc/samba/smb.conf


We allow to read/write utmp.
Comment 3 Phil Anderson 2011-01-06 12:54:29 UTC 
The error is for wtmp, not utmp.  My understanding is utmp is used for information for the transient state (i.e. w/who/users commands), while wtmp is more of an audit log (e.g. last command).  Both are written to by samba if utmp=yes.

# grep utmp /etc/samba/smb.conf
	utmp = yes
Comment 4 Milos Malik 2011-01-06 13:22:15 UTC 
Easy to reproduce.
Comment 5 Daniel Walsh 2011-01-06 18:40:27 UTC 
I guess we should just add

auth_write_login_records(smbd_t)

But my question is should samba change to append to the file rather then write?
Comment 7 Miroslav Grepl 2011-02-07 15:40:34 UTC 
Fixed in selinux-policy-3.7.19-69.el6
Comment 10 errata-xmlrpc 2011-05-19 11:57:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html