Bug 252310 - SELinux prevents smbcontrol utility from receiving responses from Samba daemons
SELinux prevents smbcontrol utility from receiving responses from Samba daemons
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-15 05:49 EDT by Leonid Zeitlin
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-05 14:50:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Leonid Zeitlin 2007-08-15 05:49:33 EDT
Description of problem:
Smbcontrol utility  doesn't receive any responses from smbd, nmbd or winbindd 
due to SELinux policy restriction.

For example:
# smbcontrol smbd debuglevel
No replies received

# smbcontrol smbd ping
No replies received

The following is logged to audit log:
type=AVC msg=audit(1187171117.259:294705): avc:  denied  { signal } for  pid=135
36 comm="smbd" scontext=root:system_r:smbd_t:s0 tcontext=root:system_r:unconfine
d_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1187171117.259:294705): arch=40000003 syscall=37 success=
no exit=-13 a0=5b12 a1=a a2=803f4a4c a3=0 items=0 ppid=13534 pid=13536 auid=0 ui
d=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="smbd" exe
="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)

When SELinux is in permissive mode this problem does not occur.

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-35.fc7
selinux-policy-targeted-2.6.4-35.fc7
samba-3.0.25b-2.fc7


How reproducible:
Always

Steps to Reproduce:
1. Set SELinux to enforcing mode.
2. Run smbcontrol smbd ping.
  
Actual results:
smbcontrol answers: No replies received

Expected results:
Reply such as:
PONG from pid 13534
PONG from pid 13536


Additional info:
Comment 1 Daniel Walsh 2007-08-15 06:34:48 EDT
This is going to require new policy for smbcontrol.  You can add these rules
using audit2allow.

Run the command on windbind and nmbd and then execute the following

grep signal /var/log/audit/audit.log | audit2allow -M mysmbcontrol
semodule -i mysmbcontrol.pp

This will update your local policy.
I will add policy for smbcontrol in a future release.
Comment 2 Leonid Zeitlin 2007-08-15 09:07:51 EDT
Thank you.
Comment 3 Daniel Walsh 2007-09-11 10:06:59 EDT
Fixed in selinux-policy-targeted-2.6.4-42.fc7
Comment 4 Leonid Zeitlin 2007-09-18 05:54:19 EDT
Sorry, but I observe the same problem with selinux-policy-targeted-2.6.4-
42.fc7. Even though smbcontrol is labelled with smbcontrol_exec_t type:

ls -Z /usr/bin/smbcontrol:
-rwxr-xr-x  root root system_u:object_r:smbcontrol_exec_t /usr/bin/smbcontrol

still, smbcontrol runs as unconfined_t:

smbcontrol smbd ping & ps axuwwZ | grep smbcontrol:
root:system_r:unconfined_t:SystemLow-SystemHigh root 26636 1.0  0.0 8676 1820 
pts/1 S 12:52   0:00 smbcontrol smbd ping

I am afraid I don't know selinux well enough to understand what's going on. Any 
help?
Comment 5 Daniel Walsh 2007-09-18 08:19:56 EDT
Oops transition rule is missing.  Works in F8

Fixed in /selinux-policy-2.6.4-43.fc7
Comment 6 Leonid Zeitlin 2007-10-01 09:20:26 EDT
Believe it or not, still doesn't work. Now smbcontrol prints no message at all 
and the audit log has the following:

type=AVC msg=audit(1191244284.239:267824): avc:  denied  { use } for  pid=21564
comm="smbcontrol" name="1" dev=devpts ino=3 scontext=root:system_r:smbcontrol_t:
s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fd

type=AVC_PATH msg=audit(1191244284.239:267824):  path="/dev/pts/1"

This is when I am running smbcontrol on a sshd terminal. On a console, the 
audit log entry is slightly different:

type=AVC msg=audit(1191244411.747:267864): avc:  denied  { use } for  pid=21608
comm="smbcontrol" name="tty2" dev=tmpfs ino=1856 scontext=root:system_r:smbcontr
ol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcla
ss=fd

type=AVC_PATH msg=audit(1191244411.747:267864):  path="/dev/tty2"
Comment 7 Daniel Walsh 2007-10-01 16:03:47 EDT
selinux-policy-2.6.4-46.fc7
Comment 8 Leonid Zeitlin 2007-10-05 12:06:45 EDT
selinux-policy-2.6.4-46.fc7 fixes the issue. Thank you!

Note You need to log in before you can comment on or make changes to this bug.