Bug 147183 - SELinux blocks normal winbindd operations
SELinux blocks normal winbindd operations
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-04 13:23 EST by Steve Bonneville
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-04 13:43:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Bonneville 2005-02-04 13:23:11 EST
Description of problem:

The winbind service is being blocked from creating its local idmap
database as well as its cache files and log files, due to SELinux
restrictions.  This breaks winbind operation when used with a local
idmap database.  I haven't tested it yet with a LDAP backend to see 
if it's working at all.  Four example AVC denials below:

Feb  4 13:10:52 sbonnevi-lt kernel: audit(1107540652.621:0): avc: 
denied  { create } for  pid=4651 exe=/usr/sbin/winbindd
name=winbindd.log scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_log_t tclass=file

Feb  4 13:10:52 sbonnevi-lt kernel: audit(1107540652.622:0): avc: 
denied  { create } for  pid=4651 exe=/usr/sbin/winbindd
name=winbindd_idmap.tdb scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_var_t tclass=file

Feb  4 13:10:52 sbonnevi-lt kernel: audit(1107540652.651:0): avc: 
denied  { create } for  pid=4652 exe=/usr/sbin/winbindd
name=netsamlogon_cache.tdb scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_var_t tclass=file

Feb  4 13:10:56 sbonnevi-lt kernel: audit(1107540656.814:0): avc: 
denied  { create } for  pid=4652 exe=/usr/sbin/winbindd
name=winbindd_cache.tdb scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_var_t tclass=file


It was my understanding from the current release notes that 
winbindd is not SUPPOSED to be a confined service, since it's 
not on the list.  :(

Version-Release number of selected component (if applicable):
  selinux-policy-targeted-1.17.30-2.52.1
  samba*-3.0.10-1.4E
Comment 1 Daniel Walsh 2005-02-04 13:43:59 EST
It should be added to the list.  This bug is one of many that has been
fixed but did not make the cut off for RC.  It will be fixed in Update 1.

You can grab the FC3 policy to test it out.

Dan
Comment 3 Tim Powers 2005-06-09 09:06:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html

Note You need to log in before you can comment on or make changes to this bug.