Bug 172685 - Policy update breaks ntlm_auth
Policy update breaks ntlm_auth
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-11-08 07:27 EST by Phil Mayers
Modified: 2008-02-18 20:56 EST (History)
1 user (show)

See Also:
Fixed In Version: 4.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-18 20:56:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Phil Mayers 2005-11-08 07:27:36 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
The update to 2.110 targeted policy adds an application domain for "ntlm_auth", but fails to correctly permit access to /var/cache/samba - thus breaking usage of ntlm_auth

audit(1131450469.728:0): avc:  denied  { search } for  pid=23359 comm=ntlm_auth name=samba dev=dm-0 ino=8553559 scontext=root:system_r:winbind_helper_t tcontext=system_u:object_r:samba_var_t tclass=dir

[root@radius1 policy]# find /var/cache/samba -inum 8553559
[root@radius1 samba]# ll -Za
drwxr-xr-x  root     root     system_u:object_r:samba_var_t    .
drwxr-xr-x  root     root     system_u:object_r:var_t          ..
drwxr-x---  root     squid    system_u:object_r:winbind_var_run_t winbindd_privileged

...and the appropriate bits of the application policy:

application_domain(winbind_helper, `, nscd_client_domain')
role system_r types winbind_helper_t;
allow winbind_t devpts_t:dir { search };
ifdef(`targeted_policy', `
allow winbind_t { devtty_t devpts_t }:chr_file { read write };
allow winbind_t admin_tty_type:chr_file { read write };
r_dir_file(winbind_helper_t, samba_etc_t)
r_dir_file(winbind_t, samba_etc_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
allow winbind_helper_t privfd:fd use;

Note the missing "r_dir_file(winbind_helper_t, samba_var_t)"

Filing as "security" because the effect is to disable SELinux or weaken the policy protection.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure and use ntlm_auth
2. Update to policy 2.110
3. Broken

Actual Results:  It broke

Expected Results:  It should have worked

Additional info:
Comment 1 Daniel Walsh 2005-11-08 10:05:38 EST
Fixed in U3 Policy

Snapshot available in 


Comment 2 Phil Mayers 2005-11-15 05:45:57 EST
Ok. Any chance of an errata before U3? Or can we be sure that this policy will
update cleanly on our RHEL4 systems and also be updated when U3 comes out? Or
should I just give up and turn SELinux off?

Also: ntlm_auth is unable to write to the console in this policy, so you can't
run it interactively for testing or get the help output.
Comment 3 Daniel Walsh 2005-11-15 08:53:33 EST
Yes people are decisions are being made on whether to erratta this or not.  This
polciy will upgrade fine on a RHEL4, since this policy or a newer version will
be U3 Policy.  
Comment 5 Phil Mayers 2005-12-05 12:17:38 EST
I have just tested this. selinux-policy-targeted 1.17.30 release 2.120 did NOT
appear to fix the problem. In fact, the labels on the files and the policy seem
Comment 7 Daniel Walsh 2006-02-22 11:10:39 EST
Policy in 2.126 should fix this problem.  You might need to relabel the directories.
Comment 12 Ben Levenson 2008-02-18 20:56:44 EST
a fix for this was released in selinux-policy-targeted-1.17.30-2.140.
if you are still experiencing problems related to this bug, please reopen.

Note You need to log in before you can comment on or make changes to this bug.