Description of problem: Logging into AD with wbinfo -K SELinux is preventing winbindd from using the 'signull' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that winbindd should be allowed signull access on processes labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep winbindd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:winbind_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ process ] Source winbindd Source Path winbindd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.12.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.6-200.fc22.x86_64 #1 SMP Mon Aug 17 19:54:31 UTC 2015 x86_64 x86_64 Alert Count 2 First Seen 2015-09-17 11:56:51 EDT Last Seen 2015-10-05 12:57:36 EDT Local ID b1cbf7f1-371f-48cb-b812-7593e50c3bc3 Raw Audit Messages type=AVC msg=audit(1444064256.594:5204): avc: denied { signull } for pid=1462 comm="winbindd" scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0 Hash: winbindd,winbind_t,kernel_t,process,signull Version-Release number of selected component: selinux-policy-3.13.1-128.12.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.8-200.fc22.x86_64 type: libreport Potential duplicate: bug 1036194
Hi, Whats going on here? Why winbind sending signull to kernel? Thank you.
As Alexander wrote in bug #1230726: This is valid behavior in POSIX, see kill(2): "If sig is 0, then no signal is sent, but error checking is still performed; this can be used to check for the existence of a process ID or process group ID." Samba uses this behavior to find out whether a particular process already exists. In particular, winbindd fires off a DC probe and since it doesn't need to have multiple of them for the single DC check, it uses this method to check if the probe is there. _PUBLIC_ bool process_exists_by_pid(pid_t pid) { /* Doing kill with a non-positive pid causes messages to be * sent to places we don't want. */ if (pid <= 0) { return false; } return(kill(pid,0) == 0 || errno != ESRCH); } ... if (domain->dc_probe_pid != (pid_t)-1) { /* * We might already have a DC probe * child working, check. */ if (process_exists_by_pid(domain->dc_probe_pid)) { DEBUG(10,("fork_child_dc_connect: pid %u already " "checking for DC's.\n", (unsigned int)domain->dc_probe_pid)); return true; } domain->dc_probe_pid = (pid_t)-1; } domain->dc_probe_pid = fork();
*** Bug 1230726 has been marked as a duplicate of this bug. ***
That makes sense. Thank you.
commit f78d3985cb8ed1c39b0802d59929dc36bd1eb311 Author: Lukas Vrabec <lvrabec> Date: Fri Oct 16 13:04:36 2015 +0200 Allow winbindd to send signull to kernel. BZ(#1269193)
selinux-policy-3.13.1-128.19.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-5fab64b918
selinux-policy-3.13.1-128.19.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-5fab64b918
selinux-policy-3.13.1-128.20.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f396e330d9
selinux-policy-3.13.1-128.20.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f396e330d9
selinux-policy-3.13.1-128.21.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.