Bug 1269193 - SELinux is preventing winbindd from using the 'signull' accesses on a process.
Summary: SELinux is preventing winbindd from using the 'signull' accesses on a process.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:9b81622df3df9a31a742e131b26...
: 1230726 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-06 15:21 UTC by Brian J. Murrell
Modified: 2015-11-27 03:55 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.13.1-128.20.fc22 selinux-policy-3.13.1-128.21.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-27 03:55:53 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Brian J. Murrell 2015-10-06 15:21:29 UTC 
Description of problem:
Logging into AD with wbinfo -K
SELinux is preventing winbindd from using the 'signull' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that winbindd should be allowed signull access on processes labeled kernel_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ process ]
Source                        winbindd
Source Path                   winbindd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.12.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.6-200.fc22.x86_64 #1 SMP Mon
                              Aug 17 19:54:31 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-09-17 11:56:51 EDT
Last Seen                     2015-10-05 12:57:36 EDT
Local ID                      b1cbf7f1-371f-48cb-b812-7593e50c3bc3

Raw Audit Messages
type=AVC msg=audit(1444064256.594:5204): avc:  denied  { signull } for  pid=1462 comm="winbindd" scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0


Hash: winbindd,winbind_t,kernel_t,process,signull

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.8-200.fc22.x86_64
type:           libreport

Potential duplicate: bug 1036194
Comment 1 Lukas Vrabec 2015-10-08 07:00:20 UTC 
Hi, 

Whats going on here? Why winbind sending signull to kernel? 

Thank you.
Comment 2 Andreas Schneider 2015-10-09 10:19:00 UTC 
As Alexander wrote in bug #1230726:

This is valid behavior in POSIX, see kill(2):

"If sig is 0, then no signal is sent, but error checking is still performed; this can be used to check for the existence of a process ID or process group ID."

Samba uses this behavior to find out whether a particular process already exists. In particular, winbindd fires off a DC probe and since it doesn't need to have multiple of them for the single DC check, it uses this method to check if the probe is there.

_PUBLIC_ bool process_exists_by_pid(pid_t pid)
{
        /* Doing kill with a non-positive pid causes messages to be
         * sent to places we don't want. */
        if (pid <= 0) {
                return false;
        }
        return(kill(pid,0) == 0 || errno != ESRCH);
}

...

        if (domain->dc_probe_pid != (pid_t)-1) {
                /*
                 * We might already have a DC probe
                 * child working, check.
                 */
                if (process_exists_by_pid(domain->dc_probe_pid)) {
                        DEBUG(10,("fork_child_dc_connect: pid %u already "
                                "checking for DC's.\n",
                                (unsigned int)domain->dc_probe_pid));
                        return true;
                }
                domain->dc_probe_pid = (pid_t)-1;
        }

        domain->dc_probe_pid = fork();
Comment 3 Andreas Schneider 2015-10-09 10:19:10 UTC 
*** Bug 1230726 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2015-10-13 10:56:50 UTC 
That makes sense. Thank you.
Comment 5 Lukas Vrabec 2015-10-16 11:05:30 UTC 
commit f78d3985cb8ed1c39b0802d59929dc36bd1eb311
Author: Lukas Vrabec <lvrabec>
Date:   Fri Oct 16 13:04:36 2015 +0200

    Allow winbindd to send signull to kernel. BZ(#1269193)
Comment 6 Fedora Update System 2015-11-03 09:47:18 UTC 
selinux-policy-3.13.1-128.19.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-5fab64b918
Comment 7 Fedora Update System 2015-11-03 18:57:15 UTC 
selinux-policy-3.13.1-128.19.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-5fab64b918
Comment 8 Fedora Update System 2015-11-09 17:56:16 UTC 
selinux-policy-3.13.1-128.20.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f396e330d9
Comment 9 Fedora Update System 2015-11-10 02:22:18 UTC 
selinux-policy-3.13.1-128.20.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f396e330d9
Comment 10 Fedora Update System 2015-11-20 13:14:05 UTC 
selinux-policy-3.13.1-128.21.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Comment 11 Fedora Update System 2015-11-21 17:52:26 UTC 
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Comment 12 Fedora Update System 2015-11-27 03:53:26 UTC 
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.