Description of problem: Trying to log onto AD domain. I now have about 1800 of these in my audit.log SELinux is preventing winbindd from 'name_connect' accesses on the tcp_socket port 49261. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that winbindd should be allowed name_connect access on the port 49261 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd # semodule -X 300 -i my-winbindd.pp Additional Information: Source Context system_u:system_r:winbind_t:s0 Target Context system_u:object_r:ephemeral_port_t:s0 Target Objects port 49261 [ tcp_socket ] Source winbindd Source Path winbindd Port 49261 Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-32.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.17.2-200.fc28.x86_64 #1 SMP Mon Jun 18 20:09:31 UTC 2018 x86_64 x86_64 Alert Count 59687 First Seen 2018-01-12 00:22:48 EST Last Seen 2018-07-12 09:24:42 EDT Local ID f7a9083f-1666-49a9-aaea-9e6e1871a8e8 Raw Audit Messages type=AVC msg=audit(1531401882.429:175718): avc: denied { name_connect } for pid=8970 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 Hash: winbindd,winbind_t,ephemeral_port_t,tcp_socket,name_connect Version-Release number of selected component: selinux-policy-3.14.1-32.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.17.2-200.fc28.x86_64 type: libreport Potential duplicate: bug 1415714
type=AVC msg=audit(1531401831.730:175684): avc: denied { name_connect } for pid=8872 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401833.755:175685): avc: denied { name_connect } for pid=8872 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401837.279:175686): avc: denied { name_connect } for pid=8879 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401838.662:175687): avc: denied { name_connect } for pid=8880 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401840.061:175688): avc: denied { name_connect } for pid=8879 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401841.560:175689): avc: denied { name_connect } for pid=8880 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401843.807:175697): avc: denied { name_connect } for pid=8888 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401846.373:175698): avc: denied { name_connect } for pid=8888 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401854.567:175699): avc: denied { name_connect } for pid=8937 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1531401856.608:175700): avc: denied { name_connect } for pid=8937 comm="winbindd" dest=49261 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
Hi Samba folks, I have question. Winbindd is trying to connect to several ports see comment#1. Is there any "default" ports where winbind will try to connect? Thanks, Lukas.
Lukas, these are ephemeral ports, dynamically allocated by an end-point mapper. From Samba documentation, smb.conf: rpc server dynamic port range (G) This parameter tells the RPC server which port range it is allowed to use to create a listening socket for LSA, SAM, Netlogon and others without wellknown tcp ports. The first value is the lowest number of the port range and the second the hightest. This applies to RPC servers in all server roles. Default: rpc server dynamic port range = 49152-65535
Okay, make sense, should I allow it?
Yes. Thanks!
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.