Bug 1288795 - SELinux is preventing winbindd from 'name_connect' accesses on the tcp_socket port 56330. [NEEDINFO]
SELinux is preventing winbindd from 'name_connect' accesses on the tcp_socket...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
23
x86_64 Unspecified
medium Severity low
: ---
: ---
Assigned To: Guenther Deschner
Fedora Extras Quality Assurance
abrt_hash:1a3ed3e0a291156b6100f0b8350...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-05 20:30 EST by Brian J. Murrell
Modified: 2016-12-20 11:40 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-20 11:40:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
vmojzis: needinfo? (brian.murrell)
lvrabec: needinfo? (brian.murrell)


Attachments (Terms of Use)

  None (edit)
Description Brian J. Murrell 2015-12-05 20:30:43 EST
Description of problem:
SELinux is preventing winbindd from 'name_connect' accesses on the tcp_socket port 56330.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that winbindd should be allowed name_connect access on the port 56330 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:object_r:ephemeral_port_t:s0
Target Objects                port 56330 [ tcp_socket ]
Source                        winbindd
Source Path                   winbindd
Port                          56330
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-155.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-301.fc23.x86_64 #1 SMP Fri
                              Nov 20 22:22:41 UTC 2015 x86_64 x86_64
Alert Count                   28
First Seen                    2015-10-07 05:48:28 EDT
Last Seen                     2015-12-05 17:06:17 EST
Local ID                      42991ac8-471d-47bc-89ad-b9171fd55477

Raw Audit Messages
type=AVC msg=audit(1449353177.320:1158): avc:  denied  { name_connect } for  pid=10889 comm="winbindd" dest=56330 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0


Hash: winbindd,winbind_t,ephemeral_port_t,tcp_socket,name_connect

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport
Comment 1 Vit Mojzis 2015-12-16 11:30:20 EST
Could you please try if you get any other AVC? (I was unable to reproduce the issue - winbind doesn't seem to like virtual machines)?
Reproducing the issue with SELinux in permissive mode will show us all the permission winbind needs. Plese try the following>

#setenforce 0
<reproduce the issue>
#ausearch -m avc -ts recent
#setenforce 1
Comment 2 Brian J. Murrell 2016-01-05 06:42:37 EST
The problem is that I don't know what reproduces it.  It just happens when it happens like it did yesterday.  The report said:

SELinux is preventing winbindd from 'name_connect' accesses on the tcp_socket port 52774.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that winbindd should be allowed name_connect access on the port 52774 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:object_r:ephemeral_port_t:s0
Target Objects                port 52774 [ tcp_socket ]
Source                        winbindd
Source Path                   winbindd
Port                          52774
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-301.fc23.x86_64 #1 SMP Fri
                              Nov 20 22:22:41 UTC 2015 x86_64 x86_64
Alert Count                   231
First Seen                    2015-10-07 05:48:28 EDT
Last Seen                     2016-01-04 07:01:33 EST
Local ID                      42991ac8-471d-47bc-89ad-b9171fd55477

Raw Audit Messages
type=AVC msg=audit(1451908893.874:40613): avc:  denied  { name_connect } for  pid=1786 comm="winbindd" dest=52774 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0


Hash: winbindd,winbind_t,ephemeral_port_t,tcp_socket,name_connect
Comment 3 Miroslav Grepl 2016-01-21 04:47:42 EST
Lets ask samba folks.
Comment 4 Alexander Bokovoy 2016-01-21 05:09:54 EST
It would be good to see winbindd logs around this connection. You can set 'log level = 100' to generate a lot of networking logs in Samba.
Comment 5 Brian J. Murrell 2016-01-21 07:49:27 EST
Where do I set "log level = 100"?  /etc/samba/smb.conf in [general] section?  Or somewhere else?
Comment 6 Alexander Bokovoy 2016-01-21 11:12:38 EST
The section is called '[global]'.
Comment 7 Brian J. Murrell 2016-01-25 07:55:35 EST
I tried to set log level to 100 by commenting out my existing log level and adding a new one as such:

#log level = 0 auth:10 winbind:10
log level = 100 # auth:10 winbind:10

That left me unable to authenticate to the domain using "wbinfo -K <userid>":

$ wbinfo -K brian
Enter brian's password: 
plaintext kerberos password authentication for [brian] failed (requesting cctype: FILE)
Could not authenticate user [brian] with Kerberos (ccache: FILE)
Comment 8 Andreas Schneider 2016-01-25 12:26:40 EST
wbinfo -K --krb5ccname=KEYRING brian
Comment 9 Brian J. Murrell 2016-01-25 13:17:31 EST
Why would making the "log level" change all of a sudden require me to supply "--krb5ccname=KEYRING" to wbinfo when the previous "log level" setting did not?
Comment 10 Brian J. Murrell 2016-06-09 09:57:08 EDT
Description of problem:
Logging into AD domain

Version-Release number of selected component:
selinux-policy-3.13.1-158.15.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.6-200.fc23.x86_64
type:           libreport
Comment 11 Brian J. Murrell 2016-06-14 10:26:51 EDT
Description of problem:
Logging into an AD domain

Version-Release number of selected component:
selinux-policy-3.13.1-158.15.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.6-200.fc23.x86_64
type:           libreport
Comment 12 Fedora End Of Life 2016-11-24 09:00:12 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 13 Fedora End Of Life 2016-12-20 11:40:08 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.