Description of problem: SElinux targeted policy disallows execution of net command from samba-common package. /usr/bin/net is used for remote commands on samba domain controller. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.25.2-4 samba-common-3.0.14a-2 How reproducible: Always Steps to Reproduce: 1. /usr/bin/net Actual results: -bash: /usr/bin/net: Permission denied Expected results: Usage: [help page] Additional info: 1. After "setenforce 0" it works. 2. There are no selinux messages in /var/log/messages, which is strange and confusing. 3. ls -Z /usr/bin/net -rwxr-xr-x root root system_u:object_r:samba_net_exec_t /usr/bin/net
Created attachment 117184 [details] audit.log messages when issuing "net" command as root and as normal user Sorry for the missing avc messages comment - I've missed audit.log change in release notes. This are messages added to audit.log when issuing "net" command as root and as normal user. Strangely audit2allow and audit2why do not produce any output on this .
This looks like you have a policy mismatch. Do you have selinux-policy-targeted-sources installed. If yes please execute make -C /etc/selinux/targeted/src/policy reload And see if the problem goes away. Dan
Created attachment 117191 [details] Output of "make -C /etc/selinux/targeted/src/policy reload" I do have selinux-policy-targeted-sources installed but "make -C /etc/selinux/targeted/src/policy reload" did not help. I've tried to reinstall selinux-policy-targeted-sources with "rpm -Uvh --force" - no luck. I've rebooted - no luck. I have two lines added to /etc/selinux/targeted/src/policy/domains/misc/local.te: allow smbd_t smbd_port_t:tcp_socket name_connect; allow smbd_t tmp_t:file { read getattr lock unlink }; First is a workaround for bug #164254 the other is for allowing samba to read /tmp (it can write but it cannot read - strange - I think I'll report another bug...). Everything else is unchanged: #rpm -V selinux-policy-targeted selinux-policy-targeted-sources .......T. /etc/selinux/targeted/contexts/customizable_types ..5....T. c /etc/selinux/targeted/contexts/files/file_contexts S.5....T. c /etc/selinux/targeted/contexts/files/file_contexts.homedirs .......T. c /etc/selinux/targeted/contexts/files/homedir_template .......T. /etc/selinux/targeted/contexts/port_types S.5....T. /etc/selinux/targeted/policy/policy.19 .......T. c /etc/selinux/targeted/users/system.users S.5....T. c /etc/selinux/targeted/src/policy/domains/misc/local.te .......T. c /etc/selinux/targeted/src/policy/file_contexts/homedir_template ..?...... c /etc/selinux/targeted/src/policy/file_contexts/program/groupadd.fc I do have home directories in /var/home instead of /var though. They do have correct contexts. These are files in /etc/selinux that are not owned by selinux-policy packages: #find /etc/selinux -type f | xargs rpm -qf | egrep -v '^selinux-policy-targeted(-sources)?-1\.25\.2-4$' file /etc/selinux/targeted/src/policy/tmp/program_used_flags.te is not owned by any package file /etc/selinux/targeted/src/policy/tmp/load is not owned by any package I'm attaching the output of "make -C /etc/selinux/targeted/src/policy reload" after "make -C /etc/selinux/targeted/src/policy clean".
So after doing this the net command still blows up with that error? Dan
Yes. Only timestamps, "a0", "a1", "a2" and "pid" change.
Fixed in selinux-policy-targetd-1.25.3-9