From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 Description of problem: The update to 2.110 targeted policy adds an application domain for "ntlm_auth", but fails to correctly permit access to /var/cache/samba - thus breaking usage of ntlm_auth audit(1131450469.728:0): avc: denied { search } for pid=23359 comm=ntlm_auth name=samba dev=dm-0 ino=8553559 scontext=root:system_r:winbind_helper_t tcontext=system_u:object_r:samba_var_t tclass=dir [root@radius1 policy]# find /var/cache/samba -inum 8553559 /var/cache/samba [root@radius1 samba]# ll -Za drwxr-xr-x root root system_u:object_r:samba_var_t . drwxr-xr-x root root system_u:object_r:var_t .. drwxr-x--- root squid system_u:object_r:winbind_var_run_t winbindd_privileged ...and the appropriate bits of the application policy: application_domain(winbind_helper, `, nscd_client_domain') role system_r types winbind_helper_t; allow winbind_t devpts_t:dir { search }; ifdef(`targeted_policy', ` allow winbind_t { devtty_t devpts_t }:chr_file { read write }; ') allow winbind_t admin_tty_type:chr_file { read write }; read_locale(winbind_helper_t) r_dir_file(winbind_helper_t, samba_etc_t) r_dir_file(winbind_t, samba_etc_t) allow winbind_helper_t self:unix_dgram_socket create_socket_perms; allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; allow winbind_helper_t winbind_var_run_t:dir r_dir_perms; can_winbind(winbind_helper_t) allow winbind_helper_t privfd:fd use; Note the missing "r_dir_file(winbind_helper_t, samba_var_t)" Filing as "security" because the effect is to disable SELinux or weaken the policy protection. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.110 How reproducible: Always Steps to Reproduce: 1. Configure and use ntlm_auth 2. Update to policy 2.110 3. Broken Actual Results: It broke Expected Results: It should have worked Additional info:
Fixed in U3 Policy Snapshot available in ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3
Ok. Any chance of an errata before U3? Or can we be sure that this policy will update cleanly on our RHEL4 systems and also be updated when U3 comes out? Or should I just give up and turn SELinux off? Also: ntlm_auth is unable to write to the console in this policy, so you can't run it interactively for testing or get the help output.
Yes people are decisions are being made on whether to erratta this or not. This polciy will upgrade fine on a RHEL4, since this policy or a newer version will be U3 Policy.
I have just tested this. selinux-policy-targeted 1.17.30 release 2.120 did NOT appear to fix the problem. In fact, the labels on the files and the policy seem identical.
Policy in 2.126 should fix this problem. You might need to relabel the directories.
a fix for this was released in selinux-policy-targeted-1.17.30-2.140. if you are still experiencing problems related to this bug, please reopen.