Bug 233625 - SELinux prevents winbindd to access NIS and stops.
SELinux prevents winbindd to access NIS and stops.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-23 10:32 EDT by Jose Plans
Modified: 2010-10-22 09:58 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0741
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-15 11:07:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux prevents to create folder /var/log/samba/cores/winbindd (scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t) (642 bytes, text/plain)
2007-10-16 20:13 EDT, Josef Kubin
no flags Details

  None (edit)
Description Jose Plans 2007-03-23 10:32:27 EDT
Description of problem:

Winbindd seems to be denied of access to NIS by SELinux policy Enforced.
The below messages were generated on policy Permissive.

winbind: winbindd startup succeeded
kernel: audit(1160051253.446:3251): avc:  denied  { search } for  pid=5641
comm="winbindd" name="yp" dev=dm-4 ino=540673 scontext=root:system_r:winbind_t
tcontext=system_u:object_r:var_yp_t tclass=dir
kernel: audit(1160051253.668:3252): avc:  denied  { read } for  pid=5641
comm="winbindd" name="linuxnis.2" dev=dm-4 ino=540679
scontext=root:system_r:winbind_t tcontext=user_u:object_r:var_yp_t tclass=file
kernel: audit(1160051253.895:3253): avc:  denied  { name_bind } for  pid=5641
comm="winbindd" src=729 scontext=root:system_r:winbind_t
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
kernel: audit(1160051286.563:3254): avc:  denied  { unlink } for  pid=5641
comm="winbindd" name="pipe" dev=dm-4 ino=933912 scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_log_t tclass=sock_file
kernel: audit(1160051286.793:3255): avc:  denied  { create } for  pid=5641
comm="winbindd" name="pipe" scontext=root:system_r:winbind_t
tcontext=root:object_r:samba_log_t tclass=sock_file

This happens when the customer has his nss configuration as follows :
/etc/nsswitch.conf

            service: files nis


Version-Release number of selected component (if applicable):
samba-3.0.10-1.4E.11
selinux-policy-targeted-1.17.30-2.140

How reproducible:
Starting Winbindd

Steps to Reproduce:
1. % service winbind start -or- % winbindd
  
Actual results:
SELinux prevents Winbindd to start.

Expected results:
Winbindd starts on Enforcing policy.

Additional info:
We have suggested the customer to not use the SELinux policies for
smbd/nmbd/winbindd as a workaround.

Let me know if you need anything else.
Comment 2 Daniel Walsh 2007-03-23 10:49:10 EDT
Pleas turn on the allow_ypbind boolean.

setsebool -P allow_ypbind=1

Does this get it to work.
Comment 3 Jose Plans 2007-03-23 10:54:39 EDT
Hi Dan,
  I believe we tried this already, let me come back to you with an answer.
  Setting NEEDINFO.
Jose
Comment 4 Jose Plans 2007-03-24 15:11:39 EDT
allow_ypbind was already enabled and it didn't make any difference.
Comment 5 RHEL Product and Program Management 2007-05-09 01:22:06 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Daniel Walsh 2007-07-03 11:09:35 EDT
Fixed in 1.17.30-2.146
Comment 9 Josef Kubin 2007-08-13 12:42:26 EDT
I can't reproduce it with noted steps.
selinux-policy-targeted-1.17.30-2.145.noarch

# /etc/init.d/auditd status
auditd (pid 23926) is running...

# getsebool -a | grep yp
allow_ypbind --> active
ypbind_disable_trans --> inactive

# grep 'files nis' /etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
hosts:      files nis dns
protocols:  files nis
services:   files nis
netgroup:   files nis
automount:  files nis

Is necessary to configure things more?
Comment 10 Josef Kubin 2007-10-16 20:13:11 EDT
Created attachment 229341 [details]
SELinux prevents to create folder /var/log/samba/cores/winbindd (scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t)

It has been found in /var/log/audit/audit.log after start of winbindd.
Comment 11 Daniel Walsh 2007-10-16 20:37:54 EDT
Fixed in selinux-policy-targeted-1_17_30-2_149

Needs to be set as blocker so I can build
Comment 15 errata-xmlrpc 2007-11-15 11:07:04 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0741.html

Note You need to log in before you can comment on or make changes to this bug.