Bug 152549 - start of winbind fails, because SELinux targeted policy doesnt allow file creation
Summary: start of winbind fails, because SELinux targeted policy doesnt allow file cre...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
: 175923 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-03-30 09:15 UTC by Niels Happel
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-03-30 15:18:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Niels Happel 2005-03-30 09:15:51 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322 Firefox/1.0.2 Red Hat/1.0.2-1.4.1

Description of problem:
The first start of winbind fails, because the SELinux targeted policy doesn´t allow the creation of /var/cache/samba/*.tdb and /var/log/samba/winbind.log.
Restarting the service will produce the same error messages.

For better explaination take a look at /var/log/messages:

Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc:  denied  { create } for  pid=3906 exe=/usr/sbin/winbindd name=gencache.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file
Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc:  denied  { create } for  pid=3906 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file
Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.505:0): avc:  denied  { create } for  pid=3906 exe=/usr/sbin/winbindd name=winbindd.log scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t tclass=file
Mar 29 19:41:04 rhas4-1 last message repeated 5 times
Mar 29 19:41:04 rhas4-1 winbind: Starten von winbindd succeeded
Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.515:0): avc:  denied  { create } for  pid=3907 exe=/usr/sbin/winbindd name=messages.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file
Mar 29 19:41:04 rhas4-1 kernel: audit(1112118064.515:0): avc:  denied  { create } for  pid=3907 exe=/usr/sbin/winbindd name=winbindd.log scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t tclass=file
Mar 29 19:41:04 rhas4-1 last message repeated 3 times


Version-Release number of selected component (if applicable):
samba-3.0.10-1.4E

How reproducible:
Always

Steps to Reproduce:
1.properly configure /etc/samba/smb.conf
2./etc/rc.d/init.d/winbind start
3.take a look at /var/log/messages
4. try to restart winbind
  

Actual Results:  winbind won´t start.

Expected Results:  it should start and be able to create it´s .log and .tdb files.

Additional info:

Workarounded it by disabling SELinux.
Comment 1 Jay Fenlason 2005-03-30 15:18:23 UTC 
This is a bug in selinux-policy-targeted, not Samba, so I'm redirecting to the 
correct maintainers. 
 
This will be fixed in the Targeted policy in U1. 
 
Until U1, you can work around it by putting SELinux in advisory mode (turning 
off enforcing mode) before starting winbindd.  If you start winbindd with 
SELinux disabled, you may have to relabel the filesystem /var/log/samba is on.  
(the easiest way is to touch /.autorelabel and reboot.)
Comment 2 Daniel Walsh 2005-03-30 16:46:48 UTC 
You can try out the U1 policy, at

ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
policycoreutils}
Comment 4 Simo Sorce 2007-08-23 17:41:55 UTC 
*** Bug 175923 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.