Bug 164252 - SElinux targeted policy disallows execution of net command from samba-common
SElinux targeted policy disallows execution of net command from samba-common
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-26 06:29 EDT by Tomasz Ostrowski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.25.3-9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-19 03:49:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log messages when issuing "net" command as root and as normal user (1.34 KB, text/plain)
2005-07-27 03:36 EDT, Tomasz Ostrowski
no flags Details
Output of "make -C /etc/selinux/targeted/src/policy reload" (5.98 KB, text/plain)
2005-07-27 10:17 EDT, Tomasz Ostrowski
no flags Details

  None (edit)
Description Tomasz Ostrowski 2005-07-26 06:29:07 EDT
Description of problem:
SElinux targeted policy disallows execution of net command from samba-common
package. /usr/bin/net is used for remote commands on samba domain controller.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.2-4
samba-common-3.0.14a-2

How reproducible:
Always

Steps to Reproduce:
1. /usr/bin/net

Actual results:
-bash: /usr/bin/net: Permission denied

Expected results:
Usage: [help page]

Additional info:
1. After "setenforce 0" it works.
2. There are no selinux messages in /var/log/messages, which is strange and
confusing.
3. ls -Z /usr/bin/net 
-rwxr-xr-x  root     root     system_u:object_r:samba_net_exec_t /usr/bin/net
Comment 1 Tomasz Ostrowski 2005-07-27 03:36:31 EDT
Created attachment 117184 [details]
audit.log messages when issuing "net" command as root and as normal user

Sorry for the missing avc messages comment - I've missed audit.log change in
release notes.

This are messages added to audit.log when issuing "net" command as root and as
normal user. Strangely audit2allow and audit2why do not produce any output on
this .
Comment 2 Daniel Walsh 2005-07-27 09:25:46 EDT
This looks like you have a policy mismatch.  Do you have
selinux-policy-targeted-sources installed.  If yes
please execute 

make -C /etc/selinux/targeted/src/policy reload

And see if the problem goes away.

Dan
Comment 3 Tomasz Ostrowski 2005-07-27 10:17:41 EDT
Created attachment 117191 [details]
Output of "make -C /etc/selinux/targeted/src/policy reload"

I do have selinux-policy-targeted-sources installed but "make -C
/etc/selinux/targeted/src/policy reload" did not help. I've tried to reinstall
selinux-policy-targeted-sources with "rpm -Uvh --force" - no luck. I've
rebooted - no luck.

I have two lines added to
/etc/selinux/targeted/src/policy/domains/misc/local.te:
allow smbd_t smbd_port_t:tcp_socket name_connect;
allow smbd_t tmp_t:file { read getattr lock unlink };
First is a workaround for bug #164254 the other is for allowing samba to read
/tmp (it can write but it cannot read - strange - I think I'll report another
bug...).

Everything else is unchanged:
#rpm -V selinux-policy-targeted selinux-policy-targeted-sources
.......T.   /etc/selinux/targeted/contexts/customizable_types
..5....T. c /etc/selinux/targeted/contexts/files/file_contexts
S.5....T. c /etc/selinux/targeted/contexts/files/file_contexts.homedirs
.......T. c /etc/selinux/targeted/contexts/files/homedir_template
.......T.   /etc/selinux/targeted/contexts/port_types
S.5....T.   /etc/selinux/targeted/policy/policy.19
.......T. c /etc/selinux/targeted/users/system.users
S.5....T. c /etc/selinux/targeted/src/policy/domains/misc/local.te
.......T. c /etc/selinux/targeted/src/policy/file_contexts/homedir_template
..?...... c /etc/selinux/targeted/src/policy/file_contexts/program/groupadd.fc
I do have home directories in /var/home instead of /var though. They do have
correct contexts.

These are files in /etc/selinux that are not owned by selinux-policy packages:
#find /etc/selinux -type f | xargs rpm -qf | egrep -v
'^selinux-policy-targeted(-sources)?-1\.25\.2-4$'
file /etc/selinux/targeted/src/policy/tmp/program_used_flags.te is not owned by
any package
file /etc/selinux/targeted/src/policy/tmp/load is not owned by any package

I'm attaching the output of "make -C /etc/selinux/targeted/src/policy reload"
after "make -C /etc/selinux/targeted/src/policy clean".
Comment 4 Daniel Walsh 2005-07-27 10:27:12 EDT
So after doing this the net command still blows up with that error?

Dan
Comment 5 Tomasz Ostrowski 2005-07-27 10:35:37 EDT
Yes. Only timestamps, "a0", "a1", "a2" and "pid" change.
Comment 6 Daniel Walsh 2005-07-28 12:44:55 EDT
Fixed in selinux-policy-targetd-1.25.3-9

Note You need to log in before you can comment on or make changes to this bug.