147183 – SELinux blocks normal winbindd operations

Bug 147183 - SELinux blocks normal winbindd operations

Summary: SELinux blocks normal winbindd operations

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-02-04 18:23 UTC by Steve Bonneville
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHBA-2005-251
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-04 18:43:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2005:251	0	low	SHIPPED_LIVE	selinux-policy-targeted bug fix update	2005-06-09 04:00:00 UTC

Description Steve Bonneville 2005-02-04 18:23:11 UTC

Description of problem:

The winbind service is being blocked from creating its local idmap
database as well as its cache files and log files, due to SELinux
restrictions.  This breaks winbind operation when used with a local
idmap database.  I haven't tested it yet with a LDAP backend to see 
if it's working at all.  Four example AVC denials below:

Feb  4 13:10:52 sbonnevi-lt kernel: audit(1107540652.621:0): avc: 
denied  { create } for  pid=4651 exe=/usr/sbin/winbindd
name=winbindd.log scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_log_t tclass=file

Feb  4 13:10:52 sbonnevi-lt kernel: audit(1107540652.622:0): avc: 
denied  { create } for  pid=4651 exe=/usr/sbin/winbindd
name=winbindd_idmap.tdb scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_var_t tclass=file

Feb  4 13:10:52 sbonnevi-lt kernel: audit(1107540652.651:0): avc: 
denied  { create } for  pid=4652 exe=/usr/sbin/winbindd
name=netsamlogon_cache.tdb scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_var_t tclass=file

Feb  4 13:10:56 sbonnevi-lt kernel: audit(1107540656.814:0): avc: 
denied  { create } for  pid=4652 exe=/usr/sbin/winbindd
name=winbindd_cache.tdb scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_var_t tclass=file


It was my understanding from the current release notes that 
winbindd is not SUPPOSED to be a confined service, since it's 
not on the list.  :(

Version-Release number of selected component (if applicable):
  selinux-policy-targeted-1.17.30-2.52.1
  samba*-3.0.10-1.4E

Comment 1 Daniel Walsh 2005-02-04 18:43:59 UTC

It should be added to the list.  This bug is one of many that has been
fixed but did not make the cut off for RC.  It will be fixed in Update 1.

You can grab the FC3 policy to test it out.

Dan

Comment 3 Tim Powers 2005-06-09 13:06:17 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html

Note You need to log in before you can comment on or make changes to this bug.