Bug 237762 - AVC denial on "net groupmap add" command
AVC denial on "net groupmap add" command
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-25 05:53 EDT by Markku Kolkka
Modified: 2009-02-02 13:24 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.4.6-72.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-29 05:38:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Markku Kolkka 2007-04-25 05:53:47 EDT
Description of problem:
Using the "net groupmap add" command to map a Linux group with a Windows group
results in error messages and AVC denial messages. However, the mapping appears
to be created correctly.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-57.fc6

How reproducible:
always

Steps to Reproduce:
1. groupadd testing
2. net groupmap add unixgroup=testing ntgroup='Test Group 1' type=domain
  
Actual results:
Error messages:
[2007/04/25 12:50:39, 0] passdb/pdb_tdb.c:tdbsam_open(818)
  tdbsam_open: Failed to open/create TDB passwd [/etc/samba/passdb.tdb]
[2007/04/25 12:50:39, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(1095)
  tdbsam_getsampwnam: failed to open /etc/samba/passdb.tdb!
AVC message:
avc: denied { write } for comm="net" dev=dm-0 egid=0 euid=0 exe="/usr/bin/net"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="passdb.tdb" pid=12388
scontext=user_u:system_r:samba_net_t:s0 sgid=0
subj=user_u:system_r:samba_net_t:s0 suid=0 tclass=file
tcontext=user_u:object_r:samba_etc_t:s0 tty=pts3 uid=0 

Expected results:
Success message:
Got RID 1031
Successfully added group Test Group 1 to the mapping db as a domain group

Additional info:
Comment 1 Markku Kolkka 2007-05-16 06:18:07 EDT
Same results with selinux-policy-2.4.6-69.fc6:
avc: denied { write } for comm="net" dev=dm-0 egid=0 euid=0 exe="/usr/bin/net" 
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="passdb.tdb" pid=32123 
scontext=user_u:system_r:samba_net_t:s0 sgid=0 
subj=user_u:system_r:samba_net_t:s0 suid=0 tclass=file 
tcontext=user_u:object_r:samba_etc_t:s0 tty=pts2 uid=0 
Comment 2 Daniel Walsh 2007-05-16 08:27:02 EDT
You can fix this by the following command.
chcon -t samba_secrets_t /etc/samba/passdb.tdb

I will fix the file context in selinux-policy-2.4.6-71
Comment 3 shaikomer 2009-02-02 11:03:29 EST
iam running Red Hat Enterprise Sever 5.0 and iam trying to install websphere 6.1 
i got this error 
could plz guide me to fix the problem
even i run the command set sebool -p allow_execmod=1 allow_execstack=1 allow_execmem=1
didn't work any help will be appricated



repository/package.java.jre/java/jre/bin/libj9jit23.so which requires text relocation.Detailed DescriptionThe /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/java application attempted to load /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so to use relocation as a workaround, until the library is fixed. Please file a bug report against this package.Allowing AccessIf you trust /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so"The following command will allow this access:chcon -t textrel_shlib_t /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.soAdditional InformationSource Context:  root:system_r:unconfined_t:SystemLow-SystemHighTarget Context:  root:object_r:etc_runtime_tTarget Objects:  /web/JDK/jre.pak/repository/package.java.jre/java/jre/bin/libj9jit23.so [ file ]Affected RPM Packages:   Policy RPM:  selinux-policy-2.4.6-30.el5Selinux Enabled:  TruePolicy Type:  targeted
Comment 4 Daniel Walsh 2009-02-02 11:41:10 EST
First run

restorecon -R -v /web

You can turn off the execmod checking by executing

# setsebool -P allow_execmod 1


Or you could change all the so files under /web to be textrel_shlib_t

# semanage fcontext -t textrel_shlib_t '/web/JDK/jre.pak/.*so'
# restorecon -R -v /web
Comment 5 shaikomer 2009-02-02 13:24:04 EST
my problem is solved and iam able to install the websphere server 6.1 on Red hat Enterprise 5.0

this first command is work for me its great help and i appriciated 
#restorecon -r -v /web
#setsebool -P allow_execmod 1
once again thanks for ur help Mr.dwalsh

Note You need to log in before you can comment on or make changes to this bug.