Bug 741967
Summary: | SE Linux policies for Clustered Samba commands | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Nate Straz <nstraz> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 6.1 | CC: | dwalsh, mmalik | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.7.19-116.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | 719738 | Environment: | |||||||
Last Closed: | 2011-12-06 10:19:32 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 719738 | ||||||||
Bug Blocks: | 672641 | ||||||||
Attachments: |
|
Description
Nate Straz
2011-09-28 15:54:15 UTC
Looking through audit.log shows that winbindd probably needs the same policy change. type=AVC msg=audit(1317076246.144:48811): avc: denied { write } for pid=5425 comm="winbindd" name="ctdb.socket" dev=dm-0 ino=1831426 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file Do you know if these actual programs need to talk to this socket? Or could this be a leak? Can you attach the full output of ausearch -m avc Created attachment 525391 [details]
ausearch output from dash-01
Yeah, I'm pretty sure they do. I was trying to reload the samba config with smbcontrol and CTDB also manages winbindd when asked to.
Ok, I will add it. For other AVC msgs, AFAIK we discussed it in https://bugzilla.redhat.com/show_bug.cgi?id=719738 and you need to run all needed steps in this bug and also please test it with the latest policy. Thanks. Both nmbd and winbindd need a change in policy: # ausearch -m avc -m user_avc -ts today -i ---- type=PATH msg=audit(09/29/2011 10:04:31.134:152) : item=0 name=(null) inode=18340 dev=fd:00 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ctdbd_tmp_t:s0 type=SOCKADDR msg=audit(09/29/2011 10:04:31.134:152) : saddr=local /tmp/ctdb.socket type=SOCKETCALL msg=audit(09/29/2011 10:04:31.134:152) : nargs=3 a0=7 a1=bfd1a98e a2=6e type=SYSCALL msg=audit(09/29/2011 10:04:31.134:152) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd1a900 a2=c64ff4 a3=16cdd68 items=1 ppid=14549 pid=14550 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=winbindd exe=/usr/sbin/winbindd subj=unconfined_u:system_r:winbind_t:s0 key=(null) type=AVC msg=audit(09/29/2011 10:04:31.134:152) : avc: denied { write } for pid=14550 comm=winbindd name=ctdb.socket dev=dm-0 ino=18340 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file ---- type=PATH msg=audit(09/29/2011 10:05:56.610:153) : item=0 name=(null) inode=18340 dev=fd:00 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ctdbd_tmp_t:s0 type=SOCKADDR msg=audit(09/29/2011 10:05:56.610:153) : saddr=local /tmp/ctdb.socket type=SOCKETCALL msg=audit(09/29/2011 10:05:56.610:153) : nargs=3 a0=7 a1=bfd4777e a2=6e type=SYSCALL msg=audit(09/29/2011 10:05:56.610:153) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd476f0 a2=100cff4 a3=196cd80 items=1 ppid=14913 pid=14914 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=nmbd exe=/usr/sbin/nmbd subj=unconfined_u:system_r:nmbd_t:s0 key=(null) type=AVC msg=audit(09/29/2011 10:05:56.610:153) : avc: denied { write } for pid=14914 comm=nmbd name=ctdb.socket dev=dm-0 ino=18340 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file # Make sense Created attachment 525494 [details]
AVCs seen when running the automated test in permissive mode
I am fixing them. Fixed in selinux-policy-3.7.19-114.el6 Ok, I found a typo in the samba policy file. Fixed in selinux-policy-3.7.19-116.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |