Description of problem: SELinux is preventing /usr/sbin/winbindd from using the 'kill' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that winbindd should have the kill capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep winbindd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:winbind_t:s0 Target Context system_u:system_r:winbind_t:s0 Target Objects [ capability ] Source winbindd Source Path /usr/sbin/winbindd Port <Unknown> Host (removed) Source RPM Packages samba-winbind-4.1.6-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-127.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.13.6-200.fc20.x86_64 #1 SMP Fri Mar 7 17:02:28 UTC 2014 x86_64 x86_64 Alert Count 106 First Seen 2013-09-12 09:47:31 EDT Last Seen 2014-04-02 07:02:47 EDT Local ID a93b5315-6b6e-452c-ae8b-e38308194b87 Raw Audit Messages type=AVC msg=audit(1396436567.211:17915): avc: denied { kill } for pid=1298 comm="winbindd" capability=5 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability type=SYSCALL msg=audit(1396436567.211:17915): arch=x86_64 syscall=kill success=no exit=EPERM a0=56e1 a1=0 a2=0 a3=49 items=0 ppid=1 pid=1298 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=winbindd exe=/usr/sbin/winbindd subj=system_u:system_r:winbind_t:s0 key=(null) Hash: winbindd,winbind_t,winbind_t,capability,kill Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.13.6-200.fc20.x86_64 type: libreport Potential duplicate: bug 1036193
Hi Brian, We have this allow rule. allow winbind_t winbind_t : capability { dac_override kill setuid ipc_lock sys_nice audit_write } ; Please add custom policy until an updated F20 policy package with this fix is available.
*** Bug 1036193 has been marked as a duplicate of this bug. ***
(In reply to Simon Sekidde from comment #1) > Hi Brian, Hi Simon, > We have this allow rule. > > allow winbind_t winbind_t : capability { dac_override kill setuid ipc_lock > sys_nice audit_write } ; Is there a BZ ticket that tracked this rule change? > Please add custom policy until an updated F20 policy package with this fix > is available. Any ETA on when that will be available?
I found this rule only in rawhide, so back porting to f20 and f19 branch. F20: commit 9c3913b9f81e3eab573dc0317178283f06288726 Author: Lukas Vrabec <lvrabec> Date: Wed Apr 2 16:21:56 2014 +0200 Allow kill capability to winbind_t F19: commit c752931a51991a9feac74f38a1cce6bfd3c05945 Author: Lukas Vrabec <lvrabec> Date: Wed Apr 2 16:21:56 2014 +0200 Allow kill capability to winbind_t
selinux-policy-3.12.1-152.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-152.fc20
Package selinux-policy-3.12.1-152.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-152.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-152.fc20 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-153.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-153.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-153.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.