Bug 143564 - SElinux-targeted does not allow to start Winbind
SElinux-targeted does not allow to start Winbind
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-22 08:25 EST by Boris Mironov
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-09 09:06:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Boris Mironov 2004-12-22 08:25:24 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Description of problem:
SElinux-targeted does not allow to start Postfix and Winbind (from 
Samba) with the errors like the following:

audit(1103643639.300:0): avc:  denied  { append } for  pid=864 
exe=/usr/sbin/winbindd name=winbindd.log dev=md0 ino=4612193 
scontext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t 
tclass=file

audit(1103643639.469:0): avc:  denied  { write } for  pid=864 
exe=/usr/sbin/winbindd name=secrets.tdb dev=md0 ino=1341230 scontext=
root:system_r:winbind_t tcontext=user_u:object_r:etc_t tclass=file

audit(1103646826.490:0): avc:  denied  { getattr } for  pid=2515 
exe=/usr/sbin/ntpd path=/var/run/winbindd dev=md0 ino=4596108 
scontext=user_u:system_r:ntpd_t 
tcontext=system_u:object_r:winbind_var_run_t tclass=
dir

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.51

How reproducible:
Always

Steps to Reproduce:
1. Update Fedora3
2. Use SElinux-targeted
3. Restart samba (smb and winbind services)
    

Actual Results:  Winbind does not start.

Expected Results:  Winbind should start

Additional info:
Comment 1 Daniel Walsh 2004-12-22 09:49:25 EST
You might have a labeling problem 

Please execute 

rpm -q -l samba | restorecon -R -v -f -

Then restart the services.

Does that fix the problem?


Comment 2 Boris Mironov 2004-12-22 11:38:45 EST
Hi Daniel,

Apparently it did not fix the problem.

I also installed fresh version of selinux-policy-targeted-1.17.30-2.58
This did not help, as well.


Regards,
Boris
Comment 3 Boris Mironov 2004-12-22 11:47:25 EST
Hi Daniel,

Apparently it did not fix the problem.

I also installed fresh version of selinux-policy-targeted-1.17.30-2.58
This did not help, as well.


Regards,
Boris
Comment 4 Daniel Walsh 2004-12-22 11:48:30 EST
What avc messages are you seeing now?

Dan
Comment 5 Boris Mironov 2004-12-22 13:58:36 EST
Hi Daniel,

I would say - almost the same:

audit(1103647342.779:0): avc:  denied  { getattr } for  pid=2044 
exe=/usr/sbin/ntpd path=/var/run/winbindd dev=md0 ino=4596108 
scontext=user_u:system_r:ntpd_t 
scontext=system_u:object_r:winbind_var_run_t tclass=
dir

audit(1103647348.927:0): avc:  denied  { create } for  pid=2170 
exe=/usr/sbin/winbindd name=winbindd.log 
scontext=user_u:system_r:winbind_t 
tcontext=user_u:object_r:samba_log_t tclass=file

audit(1103647349.160:0): avc:  denied  { write } for  pid=2170 
exe=/usr/sbin/winbindd name=secrets.tdb dev=md0 ino=1341230 
scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:etc_t 
tclass=file

Regards,
Boris

Comment 6 Daniel Walsh 2004-12-22 14:33:20 EST
Ok try selinux-policy-targeted-1.17.30-2.60

from 

ftp://people.redhat.com/dwalsh/SELinux/FC3

You also need to execute
restorecon -R -v /etc/samba

Dan
Comment 7 Boris Mironov 2004-12-22 15:48:28 EST
file /etc/selinux/targeted/policy/policy.18 from install of selinux-
policy-targeted-1.17.30-2.60 conflicts with file from package selinux-
policy-targeted-1.17.30-2.58
Comment 8 Daniel Walsh 2004-12-22 16:54:33 EST
It should be an update?  

Comment 9 Boris Mironov 2004-12-22 16:57:58 EST
I did 

rpm -i selinux-policy-targeted-1.17.30-2.60
Comment 10 Daniel Walsh 2004-12-22 17:16:40 EST
rpm -Uhv selinux-policy-targeted-1.17.30-2.60
will update an installed package.
Comment 11 Boris Mironov 2004-12-23 08:49:23 EST
Hi Daniel,

Sorry, I just got used to up2date service ;o)

Here are some more messages:

About Portmap:
avc: denied {read} for pid=1717 exe=/sbin/portmap name=libnsl.so.1 
dev=md0 ino=640726 scontext=user_u:system_r:portmap_t 
tcontext=system_u:object_r:file_t tclass=lnk_file

portmap: error while loading shared libraries: libnsl.so.1: cannot 
open shared object file: No such file or directory

About ntpd:
Synchronizing with time server: audit(1103809260.816:0): avc: denied 
{read} for pid=3028 exe=/usr/sbin/ntpdate name=libcap.so.1.10 dev=md0 
ino=637842 scontext=user_u:system_r:ntpd_t 
tcontext=system_u:object_r:file_t tclass=file
avc: denied {read} for pid=2045 exe=/usr/sbin/ntpd name=libm.so.6 
dev=md0 ino=640758 scontext=user_u:system_r:ntpd_t 
tcontext=system_u:object_r:file_t tcalss=lnk_file
ntpd error while loading shared libraries: lbm.so.6: cannot open 
shared object file: No such file or directory

About Winbind:
avc: denied {read} for pid=2177 exe=/usr/sbin/winbindd 
name=libcrypt.so.1 dev=md0 ino=637883 
scontext=user_u:system_r:winbind_t tcontext=system_u:object_r:file_t 
tclass=lnk_file
winbindd: error while loading shared libraries: libcrypt.so.1: cannot 
open shared object file: No such file or directory

Regards,
Boris
Comment 12 Daniel Walsh 2004-12-23 10:50:08 EST
This does not look like a properly labeled machine.  You should not
have file_t's around.  Did you disable SELInux or boot with selinux=0,
or boot a different OS and write files on this disk?

You need to touch /.autorelabel and reboot, to fix the labeling on the
machine.

Dan
Comment 13 Boris Mironov 2004-12-23 11:22:09 EST
Hi Dan,

When I discovered that SElinux does not work for me, I just disabled 
SElinux from GUI (Applications -> System Settings -> Security Level)

Currently, I restarted with following kernel parameters:
ro root=/dev/md0 rhgb quiet

...
Now. SELinux is enabled and after reboot/relabelling I've got 
following:

Starting postfix: audit(1103818226.095.0): avc: denied {getattr} for 
pid=1896 exe=/usr/sbin/ntpd path=/var/run/winbindd dev=md0 
ino=4596108 scontext=user_u:system_r:ntpd_t 
tcontext=system_u:object_r:winbind_var_run_t tclass=dir

Don't know what ntpd has to do with /var/run/winbindd

Now system seems to work fine (ntpd synchronized with stratum, samba 
is available for windows users, ...)


Best Regards and
Merry Christmas,
Boris
Comment 14 Daniel Walsh 2004-12-23 13:39:51 EST
NTPD is calling netgroups which libc checks then asks winbind to list
all the groups the user is a member of... (Or something like that).

I am modifying to ntpd domain to allow this priv.

selinux-policy-targeted-1.17.30-2.61
Comment 15 Tim Powers 2005-06-09 09:06:03 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html

Note You need to log in before you can comment on or make changes to this bug.