Bug 1083491 - Samba and strange avc
Summary: Samba and strange avc
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.11
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-02 10:48 UTC by Robin Hack
Modified: 2014-09-16 00:30 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-2.4.6-349.el5
Doc Type: Bug Fix
Doc Text:
Previously, the smbd daemon service was unable to connect to the nmbd service using a Unix stream socket, which caused AVC messages to be logged in the /var/log/audit/audit.log file. To fix this bug, a set of new rules has been added to the SELinux policy to allow smbd to connect to nmbd.
Clone Of:
Environment:
Last Closed: 2014-09-16 00:30:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
AVC logs. (8.51 KB, text/x-log)
2014-04-02 10:48 UTC, Robin Hack 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1205 0 normal SHIPPED_LIVE selinux-policy bug fix update 2014-09-16 04:16:46 UTC

Description Robin Hack 2014-04-02 10:48:49 UTC 
Created attachment 881724 [details]
AVC logs.

Description of problem:
Hi. While running this test:
https://beaker.engineering.redhat.com/recipes/1280182#task20066479
git repo:
http://pkgs.devel.redhat.com/cgit/tests/samba/tree/sanity/domain-trusts

some strange avc (which are included) raises.

Maybe this is samba bug (saddr params looks very suspicious).
Comment 1 Robin Hack 2014-04-02 11:07:15 UTC 
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 03/21/2014 23:26:17 smbd root:system_r:smbd_t:s0 102 unix_stream_socket connectto root:system_r:nmbd_t:s0 denied 85
2. 03/21/2014 23:29:33 smbd root:system_r:smbd_t:s0 102 unix_stream_socket connectto root:system_r:nmbd_t:s0 denied 87
3. 03/21/2014 23:29:33 smbd root:system_r:smbd_t:s0 102 unix_stream_socket connectto root:system_r:nmbd_t:s0 denied 86
4. 03/21/2014 23:31:13 smbd root:system_r:smbd_t:s0 102 unix_stream_socket connectto root:system_r:nmbd_t:s0 denied 88
5. 03/21/2014 23:31:13 smbd root:system_r:smbd_t:s0 102 unix_stream_socket connectto root:system_r:nmbd_t:s0 denied 89
6. 03/21/2014 23:32:53 smbd root:system_r:smbd_t:s0 102 unix_stream_socket connectto root:system_r:nmbd_t:s0 denied 90
7. 03/21/2014 23:32:53 smbd root:system_r:smbd_t:s0 102 unix_stream_socket connectto root:system_r:nmbd_t:s0 denied 91
Comment 3 Miroslav Grepl 2014-04-07 15:00:26 UTC 
#============= smbd_t ==============

#!!!! This avc is allowed in the current policy
allow smbd_t nmbd_t:unix_stream_socket connectto;
Comment 4 RHEL Program Management 2014-04-22 20:48:27 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 8 errata-xmlrpc 2014-09-16 00:30:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1205.html
Note You need to log in before you can comment on or make changes to this bug.