Bug 187986 - SELinux (FC5) prevents joining Active Directory (net ads join fails)
SELinux (FC5) prevents joining Active Directory (net ads join fails)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-05 01:09 EDT by Bernard Bou
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 11:01:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bernard Bou 2006-04-05 01:09:21 EDT
Description of problem:
Cannot join Active directory under SELINUX (FC5)
net ads join fails if policy is enforced

Version-Release number of selected component (if applicable):
Fedora Core 5, selinux-policy-targeted-2.2.25-3.fc5

How reproducible:
Always

Steps to Reproduce:
1.Configure Kerberos so that host can interact with kerberos domain
2.Configure smb.conf
3.net ads join -U administrator%pass
  
Actual results:
join fails with "ads_startup: Transport endpoint is not connected"
avc reports name_connect to ldap port denied and denied writing and locking of
gencache.tdb

Expected results:
successful joining


Additional info:
Logs report the following:
Apr  3 17:09:57 ebony kernel: audit(1144076997.956:357): avc:  denied  { write }
for  pid=7046 comm="net" name="gencache.tdb" dev=hdb9 ino=1199978
scontext=root:system_r:samba_net_t:s0-s0:c0.c255
tcontext=root:object_r:samba_var_t:s0 tclass=file
Apr  3 17:09:57 ebony kernel: audit(1144076997.956:358): avc:  denied  { lock }
for  pid=7046 comm="net" name="gencache.tdb" dev=hdb9 ino=1199978
scontext=root:system_r:samba_net_t:s0-s0:c0.c255
tcontext=root:object_r:samba_var_t:s0 tclass=file
Apr  3 17:09:58 ebony kernel: audit(1144076998.451:359): avc:  denied  {
name_connect } for  pid=7117 comm="net" dest=389
scontext=root:system_r:samba_net_t:s0-s0:c0.c255
tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

which makes sense as 'net ads join' involves writing data to cache and involves
an LDAP connection to the domain controller.

Audit2allow yield:
allow samba_net_t ldap_port_t:tcp_socket name_connect;
allow samba_net_t samba_var_t:file { lock write };

If we compare (through apol) what has changed from policy.19 to policy.20, we
get the following, which shows that the required permissions have been removed :

policy.19 (FC4)
---------------
(133911) allow samba_net_t ldap_port_t : tcp_socket { send_msg recv_msg }; 
(133939) allow samba_net_t ldap_port_t : tcp_socket name_connect; 

(133576) allow samba_net_t samba_var_t : dir { read getattr lock search ioctl }; 
(133681) allow samba_net_t samba_var_t : dir { read getattr lock search ioctl
add_name remove_name write }; 
(133578) allow samba_net_t samba_var_t : file { read getattr lock ioctl }; 
(133683) allow samba_net_t samba_var_t : file { create ioctl read getattr lock
write setattr append link unlink rename }; 
(133580) allow samba_net_t samba_var_t : lnk_file { getattr read }; 
(133685) allow samba_net_t samba_var_t : lnk_file { create read getattr setattr
link unlink rename }; 

policy.20(FC5)
--------------
allow samba_net_t ldap_port_t : tcp_socket { recv_msg send_msg }; 

allow samba_net_t samba_var_t : dir { ioctl read write getattr lock add_name
remove_name search }; 
allow samba_net_t samba_var_t : file { read create getattr setattr unlink link
rename }; 
allow samba_net_t samba_var_t : lnk_file { read create getattr setattr unlink
link rename };
Comment 1 Daniel Walsh 2006-04-14 09:30:44 EDT
fixed in selinux-policy-2.2.32-1.FC5.
Comment 4 Daniel Walsh 2006-05-05 11:01:40 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Note You need to log in before you can comment on or make changes to this bug.