Bug 152549 - start of winbind fails, because SELinux targeted policy doesnt allow file creation
start of winbind fails, because SELinux targeted policy doesnt allow file cre...
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 175923 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-30 04:15 EST by Niels Happel
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-30 10:18:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Niels Happel 2005-03-30 04:15:51 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322 Firefox/1.0.2 Red Hat/1.0.2-1.4.1

Description of problem:
The first start of winbind fails, because the SELinux targeted policy doesn´t allow the creation of /var/cache/samba/*.tdb and /var/log/samba/winbind.log.
Restarting the service will produce the same error messages.

For better explaination take a look at /var/log/messages:

Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc:  denied  { create } for  pid=3906 exe=/usr/sbin/winbindd name=gencache.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file
Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc:  denied  { create } for  pid=3906 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file
Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc:  denied  { create } for  pid=3906 exe=/usr/sbin/winbindd name=winbindd.log scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t tclass=file
Mar 29 19:41:04 rhas4-1 last message repeated 5 times
Mar 29 19:41:04 rhas4-1 winbind: Starten von winbindd succeeded
Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.515:0): avc:  denied  { create } for  pid=3907 exe=/usr/sbin/winbindd name=messages.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file
Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.515:0): avc:  denied  { create } for  pid=3907 exe=/usr/sbin/winbindd name=winbindd.log scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t tclass=file
Mar 29 19:41:04 rhas4-1 last message repeated 3 times


Version-Release number of selected component (if applicable):
samba-3.0.10-1.4E

How reproducible:
Always

Steps to Reproduce:
1.properly configure /etc/samba/smb.conf
2./etc/rc.d/init.d/winbind start
3.take a look at /var/log/messages
4. try to restart winbind
  

Actual Results:  winbind won´t start.

Expected Results:  it should start and be able to create it´s .log and .tdb files.

Additional info:

Workarounded it by disabling SELinux.
Comment 1 Jay Fenlason 2005-03-30 10:18:23 EST
This is a bug in selinux-policy-targeted, not Samba, so I'm redirecting to the 
correct maintainers. 
 
This will be fixed in the Targeted policy in U1. 
 
Until U1, you can work around it by putting SELinux in advisory mode (turning 
off enforcing mode) before starting winbindd.  If you start winbindd with 
SELinux disabled, you may have to relabel the filesystem /var/log/samba is on.  
(the easiest way is to touch /.autorelabel and reboot.) 
Comment 2 Daniel Walsh 2005-03-30 11:46:48 EST
You can try out the U1 policy, at

ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
policycoreutils}
Comment 4 Simo Sorce 2007-08-23 13:41:55 EDT
*** Bug 175923 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.