Bug 164254 - SElinux targeted policy breaks samba smbd with security=server
SElinux targeted policy breaks samba smbd with security=server
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-26 06:49 EDT by Tomasz Ostrowski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.25.3-9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-19 03:51:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log messages when connecting to samba with security=server (3.63 KB, text/plain)
2005-07-27 03:20 EDT, Tomasz Ostrowski
no flags Details

  None (edit)
Description Tomasz Ostrowski 2005-07-26 06:49:39 EDT
Description of problem:
SElinux targeted policy breaks samba smbd with security=server (probably also
with security=domain), which means that samba will authenticate against windows
domain controller.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.2-4
samba-3.0.14a-2

How reproducible:
Always

Steps to Reproduce:
1. set "security=server" and "password server=[PDC]" in /etc/samba/smb.conf
2. service smb restart
3. smbclient \\localhost\[share]
  

Actual results:

session setup failed: NT_STATUS_LOGON_FAILURE

In /var/log/samba/smbd.log:
[2005/07/26 12:37:18, 1] libsmb/cliconnect.c:cli_connect(1330)
  Error connecting to [PDC_IP] (Permission denied)
[2005/07/26 12:37:18, 0] auth/auth_server.c:server_cryptkey(83)
  password server not available
[2005/07/26 12:37:18, 1] libsmb/cliconnect.c:cli_connect(1330)
  Error connecting to [PDC_IP] (Permission denied)
[2005/07/26 12:37:18, 1] libsmb/cliconnect.c:cli_start_connection(1410)
  cli_full_connection: failed to connect to [PDC]<20> ([PDC_IP])
[2005/07/26 12:37:18, 1] libsmb/cliconnect.c:cli_connect(1330)
  Error connecting to [PDC_IP] (Permission denied)
[2005/07/26 12:37:18, 0] auth/auth_server.c:server_cryptkey(83)
  password server not available
[2005/07/26 12:37:18, 1] auth/auth_server.c:check_smbserver_security(252)
  password server is not connected (cli not initilised)

In /var/log/messages:
Jul 26 12:37:18 pancernik smbd[8267]: [2005/07/26 12:37:18, 0]
auth/auth_server.c:server_cryptkey(83) 
Jul 26 12:37:18 pancernik smbd[8267]:   password server not available 
Jul 26 12:37:18 pancernik smbd[8267]: [2005/07/26 12:37:18, 0]
auth/auth_server.c:server_cryptkey(83) 
Jul 26 12:37:18 pancernik smbd[8267]:   password server not available 


Expected results:

Domain=[[DOMAIN]] OS=[Unix] Server=[Samba 3.0.14a-2]
smb: \> 


Additional info:

1. After "setsebool smbd_disable_trans 1" and "service smb restart" it works.
2. There are no selinux messages in /var/log/messages, which is strange and
confusing.
3. /bin/ls -Z /usr/sbin/smbd /usr/bin/smbclient
-rwxr-xr-x  root     root     system_u:object_r:bin_t          /usr/bin/smbclient
-rwxr-xr-x  root     root     system_u:object_r:smbd_exec_t    /usr/sbin/smbd
Comment 1 Daniel Walsh 2005-07-26 14:43:27 EDT
AVC Messages are probably in /var/log/audit/audit.log
Comment 2 Tomasz Ostrowski 2005-07-27 03:20:27 EDT
Created attachment 117183 [details]
audit.log messages when connecting to samba with security=server

I haven't read release notes carefully enough and missed this audit.log change.
Sorry.

I'm attaching audit.log fragment which was written during "service smbd
restart" and "smbclient //localhost/[username] -U [username]". audit2allow on
this fragment generated:
allow smbd_t smbd_port_t:tcp_socket name_connect;
When I added this to "/etc/selinux/targeted/src/policy/domains/misc/local.te"
and "make -C /etc/selinux/targeted/src/policy/ load" and "service smb restart"
I could connect to the share.
Comment 3 Daniel Walsh 2005-07-28 12:45:44 EDT
Fixed in selinux-policy-targetd-1.25.3-9

Note You need to log in before you can comment on or make changes to this bug.