Bug 1122024 - selinux doesn't allow read for /usr/sbin/nmbd and /usr/bin/ntlm_auth on /var/tmp /usr/tmp and /tmp
Summary: selinux doesn't allow read for /usr/sbin/nmbd and /usr/bin/ntlm_auth on /var/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-22 11:46 UTC by David Spurek
Modified: 2017-05-29 12:29 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-252.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 08:03:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Description David Spurek 2014-07-22 11:46:59 UTC
Description of problem:
selinux doesn't allow read for /usr/sbin/nmbd and /usr/bin/ntlm_auth on /var/tmp /usr/tmp and /tmp

time->Tue Jul 22 03:13:45 2014
type=PATH msg=audit(1405991625.609:1349): item=0 name="/var/tmp" inode=1704083 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL
type=CWD msg=audit(1405991625.609:1349):  cwd="/"
type=SYSCALL msg=audit(1405991625.609:1349): arch=c000003e syscall=2 success=no exit=-13 a0=7ff264f10f5d a1=0 a2=1b6 a3=0 items=1 ppid=4516 pid=4517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1405991625.609:1349): avc:  denied  { read } for  pid=4517 comm="nmbd" name="tmp" dev=dm-0 ino=1704083 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Tue Jul 22 03:13:45 2014
type=PATH msg=audit(1405991625.610:1350): item=0 name="/usr/tmp" inode=1704083 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL
type=CWD msg=audit(1405991625.610:1350):  cwd="/"
type=SYSCALL msg=audit(1405991625.610:1350): arch=c000003e syscall=2 success=no exit=-13 a0=7ff264f10f66 a1=0 a2=1b6 a3=0 items=1 ppid=4516 pid=4517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1405991625.610:1350): avc:  denied  { read } for  pid=4517 comm="nmbd" name="tmp" dev=dm-0 ino=1704083 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Tue Jul 22 03:13:45 2014
type=PATH msg=audit(1405991625.609:1348): item=0 name="/tmp" inode=524289 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL
type=CWD msg=audit(1405991625.609:1348):  cwd="/"
type=SYSCALL msg=audit(1405991625.609:1348): arch=c000003e syscall=2 success=no exit=-13 a0=7ff264f10f61 a1=0 a2=1b6 a3=0 items=1 ppid=4516 pid=4517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1405991625.609:1348): avc:  denied  { read } for  pid=4517 comm="nmbd" name="tmp" dev=dm-0 ino=524289 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

time->Tue Jul 22 03:14:06 2014
type=PATH msg=audit(1405991646.875:1351): item=0 name="/tmp" inode=524289 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL
type=CWD msg=audit(1405991646.875:1351):  cwd="/"
type=SYSCALL msg=audit(1405991646.875:1351): arch=c000003e syscall=2 success=no exit=-13 a0=7fe9e9cccf61 a1=0 a2=1b6 a3=0 items=1 ppid=8972 pid=10989 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1405991646.875:1351): avc:  denied  { read } for  pid=10989 comm="ntlm_auth" name="tmp" dev=dm-0 ino=524289 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Tue Jul 22 03:14:06 2014
type=PATH msg=audit(1405991646.875:1352): item=0 name="/var/tmp" inode=1704083 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL
type=CWD msg=audit(1405991646.875:1352):  cwd="/"
type=SYSCALL msg=audit(1405991646.875:1352): arch=c000003e syscall=2 success=no exit=-13 a0=7fe9e9cccf5d a1=0 a2=1b6 a3=0 items=1 ppid=8972 pid=10989 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1405991646.875:1352): avc:  denied  { read } for  pid=10989 comm="ntlm_auth" name="tmp" dev=dm-0 ino=1704083 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Tue Jul 22 03:14:06 2014
type=PATH msg=audit(1405991646.875:1353): item=0 name="/usr/tmp" inode=1704083 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL
type=CWD msg=audit(1405991646.875:1353):  cwd="/"
type=SYSCALL msg=audit(1405991646.875:1353): arch=c000003e syscall=2 success=no exit=-13 a0=7fe9e9cccf66 a1=0 a2=1b6 a3=0 items=1 ppid=8972 pid=10989 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1405991646.875:1353): avc:  denied  { read } for  pid=10989 comm="ntlm_auth" name="tmp" dev=dm-0 ino=1704083 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-244.el6

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Lukas Vrabec 2014-07-22 13:04:43 UTC
David, 

Anything is broken or tests failed because of AVC? My point is if winbind really needs read in tmp_t or I can add dontaudit rule.

Comment 3 David Spurek 2014-07-22 13:34:30 UTC
Test fails due to avc and other checks in the test are ok. Dontaudit rule will be ok in my case.

Comment 5 Miroslav Grepl 2014-07-23 06:42:46 UTC
Well it would be nice to catch what it causes. It looks it just lists tmp dirs.

Comment 6 Lukas Vrabec 2014-07-23 09:37:21 UTC
David, 

I need system where I can reproduce it. Is it possible?

Comment 8 Lukas Vrabec 2014-07-23 11:42:54 UTC
OK I'll try it. 

Thank you.

Comment 9 Lukas Vrabec 2014-07-23 14:17:39 UTC
Hi Andreas,

Could you explain why nmb trying list in /tmp and /var/tmp?

Thank you!

Comment 10 Lukas Vrabec 2014-07-24 20:49:41 UTC
I found by strace this: 


352 stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
353 open("/tmp", O_RDONLY)                  = 3
354 fstat(3, {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
355 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9115200000
356 read(3, 0x7fff7757f3e0, 8192)           = -1 EISDIR (Is a directory)
357 close(3)                                = 0
358 munmap(0x7f9115200000, 4096)            = 0
359 gettimeofday({1406234613, 834969}, NULL) = 0
360 stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0
361 open("/var/tmp", O_RDONLY)              = 3
362 fstat(3, {st_mode=S_IFDIR|S_ISVTX|0777, st_size=12288, ...}) = 0
363 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9115200000
364 read(3, 0x7fff7757f3e0, 8192)           = -1 EISDIR (Is a directory)
365 close(3)                                = 0
366 munmap(0x7f9115200000, 4096)            = 0

I suppose that nmbd doing some check in /tmp or /var/tmp. Could you confirm that? If yes I'll add dontaudit rule.

Comment 11 Milos Malik 2014-08-04 15:22:18 UTC
This bug looks like a duplicate of BZ#1010303.

Comment 13 Daniel Walsh 2014-08-06 22:08:32 UTC
Do these tools have a reason for listing the /tmp directory?  Could they be looking for Kerberos CC?

Comment 14 Lukas Vrabec 2014-08-13 12:19:06 UTC
I don't know, I hope Andreas will tell us more.

Comment 15 Lukas Vrabec 2014-08-22 09:24:35 UTC
commit 34481828d4c49bc35c1ced150e97c62b7f023f32
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Aug 22 09:40:23 2014 +0200

    Add samba_domain attribute and allow to list /tmp directory for these domains.

Comment 18 errata-xmlrpc 2014-10-14 08:03:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html


Note You need to log in before you can comment on or make changes to this bug.