RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1127602 - SELinux prevents nmbd from reading /tmp
Summary: SELinux prevents nmbd from reading /tmp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-07 08:41 UTC by Robin Hack
Modified: 2014-10-14 08:03 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-252.el6
Doc Type: Bug Fix
Doc Text:
Cause: Starting, Restarting samba daemons. Consequence: Samba daemons cannot list /tmp dir. Fix: Add rule that samba daemons can lit /tmp dir. Result: Samba daemons can list /tmp dir.
Clone Of:
Environment:
Last Closed: 2014-10-14 08:03:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Comment 2 Milos Malik 2014-08-07 10:33:48 UTC 
Just repeating Daniel Walsh' question: Do these tools have a reason for listing the /tmp directory?  Could they be looking for Kerberos credentials cache?
Comment 3 Robin Hack 2014-08-07 11:40:23 UTC 
I really don't know. It looks fixed in fedora 20 then from my POV: yes.
Comment 6 Lukas Vrabec 2014-08-19 11:50:54 UTC 
Maybe I'm missing something but I tried your tests and everything looks fine without any AVC. 

$ rpm -q selinux-policy
selinux-policy-3.7.19-250.el6.noarch

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Package       : samba
:: [   LOG    ] :: Installed:    : samba-3.6.23-11.el6.x86_64 
:: [   LOG    ] :: beakerlib RPM : beakerlib-1.9-3.el6 
:: [   LOG    ] :: bl-redhat RPM : beakerlib-redhat-1-12.el6eso 
:: [   LOG    ] :: Test started  : 2014-08-19 13:47:57 CEST
:: [   LOG    ] :: Test finished : 2014-08-19 13:49:17 CEST
:: [   LOG    ] :: Test name     : /CoreOS/samba/Sanity/domain-join
:: [   LOG    ] :: Distro:       : Red Hat Enterprise Linux Workstation release 6.6 Beta (Santiago)
:: [   LOG    ] :: Hostname      : localhost.localdomain
:: [   LOG    ] :: Architecture  : x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test description
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PURPOSE of /CoreOS/samba/Sanity/domain-join
Description: test basic functionality as a domain member
Author: Ales Zelinka <azelinka>

This test need a preconfigured windows PDC machine running 
and its credentials stored in a samba-bits way.

Contact azelinka (or maybe other samba testers/winland admins)
for details


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Creating tmp directory (Expected 0, got 0)
:: [   PASS   ] :: Command 'cp expect-script /tmp/tmp.NyifWytJa8/' (Expected 0, got 0)
:: [   PASS   ] :: Command 'pushd /tmp/tmp.NyifWytJa8' (Expected 0, got 0)
:: [   LOG    ] :: Package samba-winbind is present
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   samba-winbind-3.6.23-11.el6.x86_64
:: [   PASS   ] :: Command 'wget --quiet -O samba-bits.sh http://nest.test.redhat.com/mnt/qa/scratch/azelinka/samba-bits/samba-bits.sh' (Expected 0, got 0)
:: [   PASS   ] :: Command 'source samba-bits.sh' (Expected 0, got 0)
:: [   INFO   ] :: samba-bits included
:: [   INFO   ] :: downloading win-config-domain-join.sh
:: [   LOG    ] :: including config from win-config-domain-join.sh
:: [   PASS   ] :: Command 'sb_get_config ' (Expected 0, got 0)
:: [   PASS   ] :: PDC for ZELGROUP.ZEL (expected to be at 10.34.36.16) responds to ping (Expected 0, got 0)
:: [   LOG    ] :: smb.conf modified
:: [   LOG    ] :: krb5.conf modified
:: [   LOG    ] :: synchronizing time with ADS
:: [   LOG    ] :: nsswitch.conf modified
:: [   INFO   ] :: deleting samba caches
:: [   PASS   ] :: restoring selinux contexts on /etc/samba/** (Expected 0, got 0)
:: [   PASS   ] :: checking smb.conf sanity (Expected 0, got 0)
:: [   PASS   ] :: Checking for the presence of expect rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   expect-5.44.1.15-5.el6_4.x86_64
:: [   PASS   ] :: removing samba logs (Expected 0, got 0)
:: [   PASS   ] :: joined ZELGROUP.ZEL domain (method ads) (Assert: expected 0, got 0)
:: [   PASS   ] :: we talk about domain instead of realm in log (because realm can't be in lowercase) (Expected 0, got 0)
:: [   LOG    ] :: Duration: 15s
:: [   LOG    ] :: Assertions: 13 good, 0 bad
:: [   PASS   ] :: RESULT: Setup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing-DomainIntegration-
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: authconfig-uring pam (Expected 0, got 0)
:: [   PASS   ] :: net ads testjoin works (Expected 0, got 0)
:: [   PASS   ] :: trust secret is valid (Expected 0, got 0)
:: [   PASS   ] :: user administrator found in user listing (Expected 0, got 0)
:: [   PASS   ] :: user ZELGROUP+administrator present in system (Assert: expected 0, got 0)
:: [   PASS   ] :: smbclient to PDC works (Expected 0, got 0)
:: [   PASS   ] :: winbind to pam integration works (online) (Expected 0, got 0)
:: [   PASS   ] :: windows user can ssh in (Expected 0, got 0)
:: [   LOG    ] :: Duration: 18s
:: [   LOG    ] :: Assertions: 8 good, 0 bad
:: [   PASS   ] :: RESULT: Testing-DomainIntegration-

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing-OfflineMode
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: removing samba logs (Expected 0, got 0)
:: [   PASS   ] :: disabling all connections to PDC except for dns (Expected 0, got 0)
:: [   PASS   ] :: winbind to pam integration works (offline) (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: Testing-OfflineMode

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing-OfflineMode-BZ#626407
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: removing samba logs (Expected 0, got 0)
:: [   PASS   ] :: restarting winbind to verify BZ#626407 fix (Expected 0, got 0)
:: [   PASS   ] :: still works even after winbind restart (didn't wipe out caches) (Expected 0, got 0)
:: [   PASS   ] :: enabling connections to PDC (Expected 0, got 0)
:: [   LOG    ] :: Duration: 31s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: Testing-OfflineMode-BZ#626407

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: keytab-AES-BZ#748407
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: AES keys found in the keytab (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: keytab-AES-BZ#748407

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing-Join-Using-Kerberos-BZ#737808
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'REALM_UPPER=ZELGROUP.ZEL' (Expected 0, got 0)
:: [   PASS   ] :: Command 'kdestroy' (Expected 0, got 0)
:: [   PASS   ] :: Command 'chmod +x expect-script-kinit' (Expected 0, got 0)
:: [   PASS   ] :: Command './expect-script-kinit 2>&1 | tee expect-script-kinit.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'klist' (Expected 0, got 0)
:: [   PASS   ] :: Command 'net ads join -k' (Expected 0, got 0)
:: [   PASS   ] :: Command 'net ads testjoin -k' (Expected 0, got 0)
:: [   PASS   ] :: Command 'net ads leave -k' (Expected 0, got 0)
:: [   PASS   ] :: Command 'kdestroy' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: Testing-Join-Using-Kerberos-BZ#737808

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: removing administrator's homedir (Expected 0, got 0)
:: [   PASS   ] :: Command 'popd' (Expected 0, got 0)
:: [   PASS   ] :: Removing tmp directory (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: Cleanup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: /CoreOS/samba/Sanity/domain-join
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Phases: 7 good, 0 bad
:: [   PASS   ] :: RESULT: /CoreOS/samba/Sanity/domain-join
:: [ 13:49:17 ] :: JOURNAL XML: /var/tmp/beakerlib-qkklFHu/journal.xml
:: [ 13:49:17 ] :: JOURNAL TXT: /var/tmp/beakerlib-qkklFHu/journal.txt
Comment 7 Lukas Vrabec 2014-08-21 10:46:52 UTC 
Milos,
Could you re-test it please? 

Thank you
Comment 8 Milos Malik 2014-08-22 07:35:17 UTC 
Unfortunately, the AVCs appeared on several machines:
----
time->Thu Aug 21 15:13:18 2014
type=SYSCALL msg=audit(1408648398.763:25): arch=40000003 syscall=5 success=no exit=-13 a0=3ba201 a1=0 a2=1b6 a3=3c915c items=0 ppid=7917 pid=7918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1408648398.763:25): avc:  denied  { read } for  pid=7918 comm="nmbd" name="tmp" dev=dm-0 ino=655361 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:13:18 2014
type=SYSCALL msg=audit(1408648398.763:26): arch=40000003 syscall=5 success=no exit=-13 a0=3ba1fd a1=0 a2=1b6 a3=3c915c items=0 ppid=7917 pid=7918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1408648398.763:26): avc:  denied  { read } for  pid=7918 comm="nmbd" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:13:18 2014
type=SYSCALL msg=audit(1408648398.765:27): arch=40000003 syscall=5 success=no exit=-13 a0=3ba206 a1=0 a2=1b6 a3=3c915c items=0 ppid=7917 pid=7918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1408648398.765:27): avc:  denied  { read } for  pid=7918 comm="nmbd" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:18:42 2014
type=SYSCALL msg=audit(1408648722.023:82): arch=40000003 syscall=5 success=no exit=-13 a0=762201 a1=0 a2=1b6 a3=77115c items=0 ppid=15062 pid=15180 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1408648722.023:82): avc:  denied  { read } for  pid=15180 comm="ntlm_auth" name="tmp" dev=dm-0 ino=655361 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:18:42 2014
type=SYSCALL msg=audit(1408648722.023:83): arch=40000003 syscall=5 success=no exit=-13 a0=7621fd a1=0 a2=1b6 a3=77115c items=0 ppid=15062 pid=15180 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1408648722.023:83): avc:  denied  { read } for  pid=15180 comm="ntlm_auth" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:18:42 2014
type=SYSCALL msg=audit(1408648722.023:84): arch=40000003 syscall=5 success=no exit=-13 a0=762206 a1=0 a2=1b6 a3=77115c items=0 ppid=15062 pid=15180 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:system_r:winbind_helper_t:s0 key=(null)
type=AVC msg=audit(1408648722.023:84): avc:  denied  { read } for  pid=15180 comm="ntlm_auth" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:system_r:winbind_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:24:34 2014
type=SYSCALL msg=audit(1408649074.336:103): arch=40000003 syscall=5 success=no exit=-13 a0=8f41fd a1=0 a2=1b6 a3=90315c items=0 ppid=16102 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408649074.336:103): avc:  denied  { read } for  pid=1767 comm="smbcontrol" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:24:34 2014
type=SYSCALL msg=audit(1408649074.336:102): arch=40000003 syscall=5 success=no exit=-13 a0=8f4201 a1=0 a2=1b6 a3=90315c items=0 ppid=16102 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408649074.336:102): avc:  denied  { read } for  pid=1767 comm="smbcontrol" name="tmp" dev=dm-0 ino=655361 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Thu Aug 21 15:24:34 2014
type=SYSCALL msg=audit(1408649074.337:104): arch=40000003 syscall=5 success=no exit=-13 a0=8f4206 a1=0 a2=1b6 a3=90315c items=0 ppid=16102 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408649074.337:104): avc:  denied  { read } for  pid=1767 comm="smbcontrol" name="tmp" dev=dm-0 ino=1704020 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----

# rpm -qa selinux-policy*
selinux-policy-targeted-3.7.19-251.el6.noarch
selinux-policy-3.7.19-251.el6.noarch
selinux-policy-mls-3.7.19-251.el6.noarch
#
Comment 9 Miroslav Grepl 2014-08-22 07:43:37 UTC 
commit 34481828d4c49bc35c1ced150e97c62b7f023f32
Author: Miroslav Grepl <mgrepl>
Date:   Fri Aug 22 09:40:23 2014 +0200

    Add samba_domain attribute and allow to list /tmp directory for these domains.
Comment 12 errata-xmlrpc 2014-10-14 08:03:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html
Note You need to log in before you can comment on or make changes to this bug.