Description of problem: Smbcontrol utility doesn't receive any responses from smbd, nmbd or winbindd due to SELinux policy restriction. For example: # smbcontrol smbd debuglevel No replies received # smbcontrol smbd ping No replies received The following is logged to audit log: type=AVC msg=audit(1187171117.259:294705): avc: denied { signal } for pid=135 36 comm="smbd" scontext=root:system_r:smbd_t:s0 tcontext=root:system_r:unconfine d_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1187171117.259:294705): arch=40000003 syscall=37 success= no exit=-13 a0=5b12 a1=a a2=803f4a4c a3=0 items=0 ppid=13534 pid=13536 auid=0 ui d=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="smbd" exe ="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null) When SELinux is in permissive mode this problem does not occur. Version-Release number of selected component (if applicable): selinux-policy-2.6.4-35.fc7 selinux-policy-targeted-2.6.4-35.fc7 samba-3.0.25b-2.fc7 How reproducible: Always Steps to Reproduce: 1. Set SELinux to enforcing mode. 2. Run smbcontrol smbd ping. Actual results: smbcontrol answers: No replies received Expected results: Reply such as: PONG from pid 13534 PONG from pid 13536 Additional info:
This is going to require new policy for smbcontrol. You can add these rules using audit2allow. Run the command on windbind and nmbd and then execute the following grep signal /var/log/audit/audit.log | audit2allow -M mysmbcontrol semodule -i mysmbcontrol.pp This will update your local policy. I will add policy for smbcontrol in a future release.
Thank you.
Fixed in selinux-policy-targeted-2.6.4-42.fc7
Sorry, but I observe the same problem with selinux-policy-targeted-2.6.4- 42.fc7. Even though smbcontrol is labelled with smbcontrol_exec_t type: ls -Z /usr/bin/smbcontrol: -rwxr-xr-x root root system_u:object_r:smbcontrol_exec_t /usr/bin/smbcontrol still, smbcontrol runs as unconfined_t: smbcontrol smbd ping & ps axuwwZ | grep smbcontrol: root:system_r:unconfined_t:SystemLow-SystemHigh root 26636 1.0 0.0 8676 1820 pts/1 S 12:52 0:00 smbcontrol smbd ping I am afraid I don't know selinux well enough to understand what's going on. Any help?
Oops transition rule is missing. Works in F8 Fixed in /selinux-policy-2.6.4-43.fc7
Believe it or not, still doesn't work. Now smbcontrol prints no message at all and the audit log has the following: type=AVC msg=audit(1191244284.239:267824): avc: denied { use } for pid=21564 comm="smbcontrol" name="1" dev=devpts ino=3 scontext=root:system_r:smbcontrol_t: s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fd type=AVC_PATH msg=audit(1191244284.239:267824): path="/dev/pts/1" This is when I am running smbcontrol on a sshd terminal. On a console, the audit log entry is slightly different: type=AVC msg=audit(1191244411.747:267864): avc: denied { use } for pid=21608 comm="smbcontrol" name="tty2" dev=tmpfs ino=1856 scontext=root:system_r:smbcontr ol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcla ss=fd type=AVC_PATH msg=audit(1191244411.747:267864): path="/dev/tty2"
selinux-policy-2.6.4-46.fc7
selinux-policy-2.6.4-46.fc7 fixes the issue. Thank you!