Bug 252310 - SELinux prevents smbcontrol utility from receiving responses from Samba daemons
Summary: SELinux prevents smbcontrol utility from receiving responses from Samba daemons
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-15 09:49 UTC by Leonid Zeitlin
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-05 18:50:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Leonid Zeitlin 2007-08-15 09:49:33 UTC
Description of problem:
Smbcontrol utility  doesn't receive any responses from smbd, nmbd or winbindd 
due to SELinux policy restriction.

For example:
# smbcontrol smbd debuglevel
No replies received

# smbcontrol smbd ping
No replies received

The following is logged to audit log:
type=AVC msg=audit(1187171117.259:294705): avc:  denied  { signal } for  pid=135
36 comm="smbd" scontext=root:system_r:smbd_t:s0 tcontext=root:system_r:unconfine
d_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1187171117.259:294705): arch=40000003 syscall=37 success=
no exit=-13 a0=5b12 a1=a a2=803f4a4c a3=0 items=0 ppid=13534 pid=13536 auid=0 ui
d=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="smbd" exe
="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)

When SELinux is in permissive mode this problem does not occur.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set SELinux to enforcing mode.
2. Run smbcontrol smbd ping.
Actual results:
smbcontrol answers: No replies received

Expected results:
Reply such as:
PONG from pid 13534
PONG from pid 13536

Additional info:

Comment 1 Daniel Walsh 2007-08-15 10:34:48 UTC
This is going to require new policy for smbcontrol.  You can add these rules
using audit2allow.

Run the command on windbind and nmbd and then execute the following

grep signal /var/log/audit/audit.log | audit2allow -M mysmbcontrol
semodule -i mysmbcontrol.pp

This will update your local policy.
I will add policy for smbcontrol in a future release.

Comment 2 Leonid Zeitlin 2007-08-15 13:07:51 UTC
Thank you.

Comment 3 Daniel Walsh 2007-09-11 14:06:59 UTC
Fixed in selinux-policy-targeted-2.6.4-42.fc7

Comment 4 Leonid Zeitlin 2007-09-18 09:54:19 UTC
Sorry, but I observe the same problem with selinux-policy-targeted-2.6.4-
42.fc7. Even though smbcontrol is labelled with smbcontrol_exec_t type:

ls -Z /usr/bin/smbcontrol:
-rwxr-xr-x  root root system_u:object_r:smbcontrol_exec_t /usr/bin/smbcontrol

still, smbcontrol runs as unconfined_t:

smbcontrol smbd ping & ps axuwwZ | grep smbcontrol:
root:system_r:unconfined_t:SystemLow-SystemHigh root 26636 1.0  0.0 8676 1820 
pts/1 S 12:52   0:00 smbcontrol smbd ping

I am afraid I don't know selinux well enough to understand what's going on. Any 

Comment 5 Daniel Walsh 2007-09-18 12:19:56 UTC
Oops transition rule is missing.  Works in F8

Fixed in /selinux-policy-2.6.4-43.fc7

Comment 6 Leonid Zeitlin 2007-10-01 13:20:26 UTC
Believe it or not, still doesn't work. Now smbcontrol prints no message at all 
and the audit log has the following:

type=AVC msg=audit(1191244284.239:267824): avc:  denied  { use } for  pid=21564
comm="smbcontrol" name="1" dev=devpts ino=3 scontext=root:system_r:smbcontrol_t:
s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fd

type=AVC_PATH msg=audit(1191244284.239:267824):  path="/dev/pts/1"

This is when I am running smbcontrol on a sshd terminal. On a console, the 
audit log entry is slightly different:

type=AVC msg=audit(1191244411.747:267864): avc:  denied  { use } for  pid=21608
comm="smbcontrol" name="tty2" dev=tmpfs ino=1856 scontext=root:system_r:smbcontr
ol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcla

type=AVC_PATH msg=audit(1191244411.747:267864):  path="/dev/tty2"

Comment 7 Daniel Walsh 2007-10-01 20:03:47 UTC

Comment 8 Leonid Zeitlin 2007-10-05 16:06:45 UTC
selinux-policy-2.6.4-46.fc7 fixes the issue. Thank you!

Note You need to log in before you can comment on or make changes to this bug.