Description of problem: The Fedora machine is set up as a Samba PDC, but trying to join a Windows machine in the domain fails if SELinux is in enforcing mode, the samba log shows that machine account creation failed. In permissive mode joining succeeds, but with a large number of SELinux alerts. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-40.fc6 How reproducible: always Steps to Reproduce: 1. Setup Samba as a primary domain controller 2. Log in a Windows machine and try to join the domain created in step 1. Actual results: The machine account isn't created and joining fails. Expected results: The Windows macine is added to the domain and a machine account created. Additional info: The error in smb.log when trying to add a machine "opetus5" to the domain with SELinux in enforcing mode: [2007/02/21 13:31:43, 0] passdb/pdb_interface.c:pdb_default_create_user(368) _samr_create_user: Running the command `/usr/sbin/adduser -n -g machines -c Ma chine -d /dev/null -s /bin/false opetus5$' gave 82
Please grab the avc messages from /var/log/audit/audit.log or /var/log/messages.
The message while in enforcing mode: avc: denied { search } for comm="smbd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bin" pid=2748 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 In permissive mode: avc: denied { lock } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=".pwd.lock" path="/etc/.pwd.lock" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:shadow_t:s0 tty=(none) uid=0 avc: denied { write } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=5 fsgid=0 fsuid=0 gid=0 items=0 name="passwd.2926" path="/etc/passwd.2926" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { read } for comm="adduser" dev=dm-2 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="useradd" path="/usr/sbin/useradd" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:useradd_exec_t:s0 tty=(none) uid=0 avc: denied { create } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=6 fsgid=0 fsuid=0 gid=0 items=0 name="passwd.2926" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { read, write } for comm="adduser" dev=dm-3 egid=0 euid=0 exe="/usr/sbin/useradd" exit=10 fsgid=0 fsuid=0 gid=0 items=0 name="faillog" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:faillog_t:s0 tty=(none) uid=0 avc: denied { read, write } for comm="adduser" dev=dm-3 egid=0 euid=0 exe="/usr/sbin/useradd" exit=10 fsgid=0 fsuid=0 gid=0 items=0 name="lastlog" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:lastlog_t:s0 tty=(none) uid=0 avc: denied { unlink } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { setattr } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd-" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { create } for comm="adduser" egid=0 euid=0 exe="/usr/sbin/useradd" exit=6 fsgid=0 fsuid=0 gid=0 items=0 name="passwd+" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 avc: denied { setattr } for comm="adduser" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd+" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0
Created attachment 148597 [details] Try this policy package. Save this attachment to a directory my itself and name it mysamba.te Install selinux-policy-devel # yum -y install selinux-policy-devel # make -f /usr/share/selinux/devel/Makefile # semodule -i mysamba.pp Now try samba in enforcing mode and see if it works. I will update fc6 with this policy if it does.
After installing the above policy package joining the domain works, but with a SELinux message: SELinux is preventing /usr/sbin/useradd (useradd_t) "append" to /var/log/samba/smbd.log (samba_log_t). avc: denied { append } for comm="adduser" dev=dm-3 egid=0 euid=0 exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="smbd.log" path="/var/log/samba/smbd.log" pid=2588 scontext=system_u:system_r:useradd_t:s0 sgid=0 subj=system_u:system_r:useradd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0
Fixed in selinux-policy-2.4.6-46
I can't test joining machines at the moment, but selinux-policy-2.4.6-46 breaks user management with User Manager for Domains. Adding or deleting users causes SELinux denials, and probably the same would happen with machine accounts. avc: denied { search } for comm="smbd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bin" pid=3068 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0
Fixed in selinux-policy-2.4.6-48
With selinux-policy-targeted-2.4.6-49.fc6 User Manager for Domains remains broken, but the error has changed. Trying to add a new user gives: avc: denied { read } for comm="smbd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="sh" pid=3059 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=lnk_file tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0
Fixed in selinux-policy-2.4.6-52
I tested again joining machines to the domain with selinux-policy-targeted-2.4.6-54.fc6 and it still doesn't work. The denial messages keep changing with each version but the final result remains the same. This time the message is: avc: denied { read } for comm="sh" dev=dm-2 egid=0 euid=0 exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="adduser" pid=2710 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=lnk_file tcontext=system_u:object_r:sbin_t:s0 tty=(none) uid=0
If you add that this allow rule using grep smbd_t /var/log/audit/audit.log | audit2allow -M mysamba semodule -i mysamba.pp Does it work? If not, try setenforce 0 and gather all the AVC messages. We have tested this on FC7/Rawhide and it is working now. I will add a rule to allow this in the next build, but I want to fix this.
> grep smbd_t /var/log/audit/audit.log | audit2allow -M mysamba > semodule -i mysamba.pp Yes, this worked.
Fixed in selinux-policy-2.4.6-69