Bug 1083576 - SELinux is preventing /usr/sbin/winbindd from using the 'kill' capabilities.
Summary: SELinux is preventing /usr/sbin/winbindd from using the 'kill' capabilities.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b7f80d73847fca8d31e8a3cca19...
: 1036193 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-02 13:38 UTC by Brian J. Murrell
Modified: 2014-04-20 01:25 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.12.1-153.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-20 01:25:22 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Brian J. Murrell 2014-04-02 13:38:32 UTC 
Description of problem:
SELinux is preventing /usr/sbin/winbindd from using the 'kill' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that winbindd should have the kill capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:system_r:winbind_t:s0
Target Objects                 [ capability ]
Source                        winbindd
Source Path                   /usr/sbin/winbindd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-winbind-4.1.6-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-127.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.13.6-200.fc20.x86_64 #1 SMP Fri
                              Mar 7 17:02:28 UTC 2014 x86_64 x86_64
Alert Count                   106
First Seen                    2013-09-12 09:47:31 EDT
Last Seen                     2014-04-02 07:02:47 EDT
Local ID                      a93b5315-6b6e-452c-ae8b-e38308194b87

Raw Audit Messages
type=AVC msg=audit(1396436567.211:17915): avc:  denied  { kill } for  pid=1298 comm="winbindd" capability=5  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability


type=SYSCALL msg=audit(1396436567.211:17915): arch=x86_64 syscall=kill success=no exit=EPERM a0=56e1 a1=0 a2=0 a3=49 items=0 ppid=1 pid=1298 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=winbindd exe=/usr/sbin/winbindd subj=system_u:system_r:winbind_t:s0 key=(null)

Hash: winbindd,winbind_t,winbind_t,capability,kill

Additional info:
reporter:       libreport-2.2.0
hashmarkername: setroubleshoot
kernel:         3.13.6-200.fc20.x86_64
type:           libreport

Potential duplicate: bug 1036193
Comment 1 Simon Sekidde 2014-04-02 13:53:24 UTC 
Hi Brian, 

We have this allow rule.

 allow winbind_t winbind_t : capability { dac_override kill setuid ipc_lock sys_nice audit_write } ; 

Please add custom policy until an updated F20 policy package with this fix is available.
Comment 2 Simon Sekidde 2014-04-02 13:55:24 UTC 
*** Bug 1036193 has been marked as a duplicate of this bug. ***
Comment 3 Brian J. Murrell 2014-04-02 14:15:34 UTC 
(In reply to Simon Sekidde from comment #1)
> Hi Brian, 

Hi Simon,
 
> We have this allow rule.
> 
>  allow winbind_t winbind_t : capability { dac_override kill setuid ipc_lock
> sys_nice audit_write } ; 

Is there a BZ ticket that tracked this rule change?

> Please add custom policy until an updated F20 policy package with this fix
> is available.

Any ETA on when that will be available?
Comment 4 Lukas Vrabec 2014-04-02 14:26:01 UTC 
I found this rule only in rawhide, so back porting to f20 and f19 branch.

F20:
commit 9c3913b9f81e3eab573dc0317178283f06288726
Author: Lukas Vrabec <lvrabec>
Date:   Wed Apr 2 16:21:56 2014 +0200

    Allow kill capability to winbind_t

F19:
commit c752931a51991a9feac74f38a1cce6bfd3c05945
Author: Lukas Vrabec <lvrabec>
Date:   Wed Apr 2 16:21:56 2014 +0200

    Allow kill capability to winbind_t
Comment 5 Fedora Update System 2014-04-08 04:49:12 UTC 
selinux-policy-3.12.1-152.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-152.fc20
Comment 6 Fedora Update System 2014-04-09 13:17:08 UTC 
Package selinux-policy-3.12.1-152.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-152.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-152.fc20
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-04-14 22:42:36 UTC 
Package selinux-policy-3.12.1-153.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-153.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2014-04-20 01:25:22 UTC 
selinux-policy-3.12.1-153.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.