Description of problem: ************************************************* 1.when disablescript 49.winbind is executed and stopped winbind service where CTDB_MANAGES_WINBIND = yes 2. disablescript 50.samba executed and stopped smb service where CTDB_MANAGES_SAMBA= yes the avc's are seen which shows ctdbd tries to execute smbcontrol and in ctdb logs there are permission errors. the following AVC's are seen and the messages in ctdb logs: ***************************************************************** type=AVC msg=audit(1450103321.941:71909): avc: denied { sigchld } for pid=11716 comm="49.winbind" scontext=system_u:system_r:smbcontrol_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=process type=AVC msg=audit(1450103321.941:71910): avc: denied { sigchld } for pid=11225 comm="49.winbind" scontext=system_u:system_r:smbcontrol_t:s0 tcontext=system_u:system: This is log from ctdb which shows the ctdb scriptstatus: ***************************************************************** 2015/12/14 19:58:59.021033 [22865]: Event script '49.winbind takeip eth0 10.70.47.175 22' timed out after 29.9s, count: 0, pid: 11715 2015/12/14 19:58:59.021071 [22865]: Ignoring hung script for eth0 10.70.47.175 22 call 5 2015/12/14 19:58:59.115333 [22865]: Hung-script: ===== Start of hung script debug for PID="11715", event="takeip" ===== 2015/12/14 19:58:59.115365 [22865]: Hung-script: pstree -p -a 11715: 2015/12/14 19:58:59.134471 [22865]: Hung-script: /proc/1: Permission denied 2015/12/14 19:58:59.134658 [22865]: Hung-script: 2015/12/14 19:58:59.182444 [22865]: Hung-script: ---- ctdb scriptstatus takeip: ---- 2015/12/14 19:58:59.199553 [22865]: Hung-script: 11 scripts were executed last takeip cycle 2015/12/14 19:58:59.199662 [22865]: Hung-script: 00.ctdb Status:OK Duration:0.017 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199703 [22865]: Hung-script: 01.reclock Status:OK Duration:0.011 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199735 [22865]: Hung-script: 10.interface Status:OK Duration:0.026 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199766 [22865]: Hung-script: 11.natgw Status:OK Duration:0.012 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199796 [22865]: Hung-script: 11.routing Status:OK Duration:0.011 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199826 [22865]: Hung-script: 13.per_ip_routing Status:OK Duration:0.011 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199855 [22865]: Hung-script: 20.multipathd Status:OK Duration:0.010 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199884 [22865]: Hung-script: 31.clamd Status:OK Duration:0.015 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199909 [22865]: Hung-script: 40.fs_use Status:DISABLED 2015/12/14 19:58:59.199939 [22865]: Hung-script: 40.vsftpd Status:OK Duration:0.013 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.199968 [22865]: Hung-script: 41.httpd Status:OK Duration:0.011 Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.200000 [22865]: Hung-script: 49.winbind Status:TIMEDOUT Mon Dec 14 19:58:29 2015 2015/12/14 19:58:59.200022 [22865]: Hung-script: OUTPUT: 2015/12/14 19:58:59.204283 [22865]: Hung-script: ===== End of hung script debug for PID="11715", event="takeip" ===== Version-Release number of selected component (if applicable): ctdb-4.2.4-6.el7rhgs.x86_64 How reproducible: Always Steps to Reproduce: 1.Explained in description 2. 3. Actual results: AVC's seen when ctdb disbalescript 49.winbind is executed and service winbind is stopped , it tries to execute smbcontrol which throws avc's. Expected results: There should not be any AVC's seen. Additional info:
We really should have some fix or workaround for this. Ultimately this needs to be fixed in RHEL selinux policy, as far as I can tell, but this is broken in RHGS installs using CTDB_MANAGES_WINBIND for CTDB.
The new ad documentation guide documents to use CTDB_MANAGES_WINBIND=yes and this was a possiblity before. This bug will prevent this setup from fully working. It is important to 1. get it fixed in RHEL 2. if possible get a workaround (in the form of a local policy?) in the samba RPM.
"prevents smbcontrol from using ctdb's 49.winbind event script" is wrong. Correct is: "prevents ctdb's 49.winbind event script from executing smbcontrol"
Thanks, the text is good now!
Closed the samba bugs in bulk when PM_Score was less than 0. As the team was working on few of them, opening all of them.