| Summary: | SELinux is preventing /usr/sbin/winbindd from 'name_connect' accesses on the tcp_socket port 389. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stef Walter <stefw> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:59cec58d093ffdb49a414022b45c5b8adcf2e9e2fa57a98bbd243aeeeeaeba60 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-15 13:42:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Trying to join an Active Directory domain using the system-config-authentication tool. The SELinux popup gives all sorts of helpful advice if you dig deep enough about how to diddle things to allow this to work. However it should just work by default without SELinux getting in the way (whether by a better policy, or by modifying samba/winbind to be aware of SELinux restrictions and coordinate with SELinux). This is allowed by default in F17. Needs back port to F16. In older versions we allowed all domains that called getpw to connect to the ldap port, since they could use ldap. Since sssd has been added, we decided to turn this off by default since sssd can connect to sssd on your behalf. Some domains like winbind need to use ldap outside of sssd, which is why this is a bug. Stef, please update your system. Wonderful. Good to hear that it's fixed :) |
libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-7.fc16.x86_64 reason: SELinux is preventing /usr/sbin/winbindd from 'name_connect' accesses on the tcp_socket port 389. time: Mon 13 Feb 2012 05:53:25 PM CET description: :SELinux is preventing /usr/sbin/winbindd from 'name_connect' accesses on the tcp_socket port 389. : :***** Plugin catchall_boolean (47.5 confidence) suggests ******************* : :If you want to allow users to login using a sssd server :Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean. :Do :setsebool -P authlogin_nsswitch_use_ldap 1 : :***** Plugin catchall_boolean (47.5 confidence) suggests ******************* : :If you want to allow system to run with NIS :Then you must tell SELinux about this by enabling the 'allow_ypbind' boolean. :Do :setsebool -P allow_ypbind 1 : :***** Plugin catchall (6.38 confidence) suggests *************************** : :If you believe that winbindd should be allowed name_connect access on the port 389 tcp_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:winbind_t:s0 :Target Context system_u:object_r:ldap_port_t:s0 :Target Objects port 389 [ tcp_socket ] :Source winbindd :Source Path /usr/sbin/winbindd :Port 389 :Host (removed) :Source RPM Packages samba-winbind-3.6.3-78.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-46.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1 21:10:48 UTC : 2011 x86_64 x86_64 :Alert Count 1 :First Seen Mon 13 Feb 2012 05:48:16 PM CET :Last Seen Mon 13 Feb 2012 05:48:16 PM CET :Local ID 37552600-dcb2-4edb-9559-cc28ab7315bb : :Raw Audit Messages :type=AVC msg=audit(1329151696.613:76): avc: denied { name_connect } for pid=1962 comm="winbindd" dest=389 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1329151696.613:76): arch=x86_64 syscall=connect success=no exit=EACCES a0=19 a1=7f89ea49eb00 a2=10 a3=7fffb0fffb40 items=0 ppid=1950 pid=1962 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=winbindd exe=/usr/sbin/winbindd subj=system_u:system_r:winbind_t:s0 key=(null) : :Hash: winbindd,winbind_t,ldap_port_t,tcp_socket,name_connect : :audit2allow : :#============= winbind_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# authlogin_nsswitch_use_ldap, allow_ypbind : :allow winbind_t ldap_port_t:tcp_socket name_connect; : :audit2allow -R : :#============= winbind_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# authlogin_nsswitch_use_ldap, allow_ypbind : :allow winbind_t ldap_port_t:tcp_socket name_connect; :