Bug 163514 - newer yet outdated policy stops operation of mozilla-bin, yum, rhn-apllet, smbd ...
newer yet outdated policy stops operation of mozilla-bin, yum, rhn-apllet, sm...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-18 10:18 EDT by David Timms
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-20 11:57:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
var/log/messages where audit is challenging winbindd (3.46 KB, text/plain)
2005-07-19 05:39 EDT, David Timms
no flags Details
winbind audit problems after correcting smb lock directory (1.95 KB, text/plain)
2005-07-20 00:52 EDT, David Timms
no flags Details
audit denieds on winbindd after suggested fixes. (9.77 KB, text/plain)
2005-07-20 11:57 EDT, David Timms
no flags Details

  None (edit)
Description David Timms 2005-07-18 10:18:34 EDT
Description of problem:
Various executables are being blocked by audit..

Version-Release number of selected component (if applicable):
# rpm -qa|grep selin
selinux-policy-targeted-1.17.31-1
libselinux-1.19.1-8

How reproducible:
Boot with kernel-2.6.12-1.1372_FC3. 

Steps to Reproduce:
1. start with older kernel 11-27 (maybe earlier running)
2. yum update kernel 11-35? but not rebooted
3. yum update which got newer 12-1 kernel and se-p.-t.
4. reboot to new kernel.
  
Actual results:
following apps wont start, leaving tell-tale in /var/log/messages:

Jul 18 18:33:49 server1 kernel: audit(1121675629.183:0): avc:  denied  { write }
for  pid=2955 exe=/usr/sbin/nscd name=nscd dev=sda9 ino=432867
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:var_t tclass=dir

Jul 18 19:56:12 server1 kernel: audit(1121680551.622:3): avc:  denied  { write }
for  pid=2637 comm="nscd" name="nscd" dev=sda9 ino=432867
scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:var_t tclass=dir

Jul 18 19:56:16 server1 kernel: audit(1121680576.855:5): avc:  denied  {
name_connect } for  pid=2960 comm="smbd" dest=631
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket

Jul 18 19:56:16 server1 smbd[2960]:   Unable to connect to CUPS server localhost
- Permission denied

Jul 18 19:56:33 server1 kernel: audit(1121680593.696:7): avc:  denied  {
name_connect } for  pid=3835 comm="eggcups" dest=631
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket

Jul 18 19:56:52 server1 kernel: audit(1121680612.271:9): avc:  denied  {
name_connect } for  pid=3952 comm="rhn-applet-gui" dest=80
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:http_port_t
tclass=tcp_socket

Jul 18 19:56:52 server1 kernel: audit(1121680612.292:18): avc:  denied  {
name_connect } for  pid=3833 comm="rhn-applet-gui" dest=80
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:http_port_t
tclass=tcp_socket

Jul 18 20:02:54 server1 kernel: audit(1121680974.383:116): avc:  denied  {
name_connect } for  pid=4021 comm="mozilla-bin" dest=901
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:reserved_port_t
tclass=tcp_socket

Jul 18 20:03:14 server1 kernel: audit(1121680994.618:117): avc:  denied  {
name_connect } for  pid=3934 comm="gnome-panel" dest=16001
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t
tclass=tcp_socket

Expected results:
The apps should run.

Additional info:
on request...tell me what you need.
Comment 1 Daniel Walsh 2005-07-18 10:22:26 EDT
The latest policy should be  selinux-policy-targeted-1.17.30-3.19

Please upgrade to that.
Comment 2 David Timms 2005-07-19 05:39:53 EDT
Created attachment 116915 [details]
var/log/messages where audit is challenging winbindd

OK, I note that the s-p-t installed is newer (larger=1.17.31-1) version, but
rpm -q --info gives an older date(tweety compile in sept/oct 2004). rpm/yum
think the installed one is newer, so a rpm -Uvh --oldpackage
selinux-policy-targeted-1.17.30-3.19 got it installed.

The machine was fresh installed in about December, and far as I know has had
updates done using only yum (with the default fedora and updates-released
repos).

So it seems the newer kernel version showed up the fact that the incorrect
s-p-t was installed, but I don't know whether this would happen to other
machines.

Server was rebooted this evening, and now all items above are allowed to do
their thing. However, it seems that winbindd is now getting stopped. Also tried
reinstalling policy (Uvh) and the kernel (-e , ivh), and reboot but hasn't
fixed that.

Is this the same as bug
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143564 (which is resolved
with an older redhat 4 s-p-t 1.17.30-2-88) ? (see attachment if winbind is
new).
Comment 3 Daniel Walsh 2005-07-19 11:32:28 EDT
Are you running your own version of samba?  The standard location for the the
tdb file is under /var/cache/samba  not /var/lib.

Dan
Comment 4 David Timms 2005-07-20 00:52:41 EDT
Created attachment 116964 [details]
winbind audit problems after correcting smb lock directory

rpm -q --info samba
..
Version     : 3.0.14a  Vendor: (none)
Release     : 1        Build Date: Fri 15 Apr 2005 16:25:12 EST
Install Date: Sun 08 May 2005 00:36:28 EST Build Host: fc3.plainjoe.org
Group	    : System Environment/Daemons Source RPM: samba-3.0.14a-1.src.rpm

So no, not a redhat samba, but instead a fc3 build by samba.org. I confirm that
the package was compiled with default lock directory = /var/lib/samba

I also checked that the fc3 samba-common-3.0.10-1.fc3.i386.rpm definitely has a
default of /var/cache/samba as you describe. Hence you are correct diagnosis of
the secondary fault/problem! Thanks :)

Feel welcome to close the bug as invalid, although with this _different_ samba
corrected to use /var/cache/samba, the attached selinux audit logs show the
policy stopping winbindd from starting, but with different errors. winbind does
start up OK on a separate test machine with the samba-3.0.10-1 installed.
Comment 5 Daniel Walsh 2005-07-20 08:13:31 EDT
I still think you have a labeling problem.  Those files that winbind is trying
to access should not be labeled var_t, they should be in the /var/cache/samba
tree and labeled samba_var_t.  Please restorecon the /var tree

restorecon -R -v /var

Or do the entire system

touch /.autorelabel
reboot

Comment 6 David Timms 2005-07-20 11:57:10 EDT
Created attachment 116981 [details]
audit denieds on winbindd after suggested fixes.

Dan, thanks very much for your help, I am still not quite there yet !

I'll mark this as resolved current release, since this later problem is really
unrelated to the bug title.

Note You need to log in before you can comment on or make changes to this bug.