Bug 400141 - SELinux policy blocks ntlm_auth
SELinux policy blocks ntlm_auth
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.1
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-26 16:18 EST by Eric Hokanson
Modified: 2008-02-29 11:27 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-29 11:27:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eric Hokanson 2007-11-26 16:18:43 EST
Description of problem:
SELinux blocks the usage of ntlm_auth.  Even disabling protection for windbind
in the SELinux manager continues to block it.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-106.el5_1.3
selinux-policy-targeted-2.4.6-106.el5_1.3
libselinux-1.33.4-4.el5

Steps to Reproduce:
1. ntlm_auth --username=username --domain=domain
  
Actual results:
Blocks ntlm_auth

Expected results:
Allow ntlm_auth

Additional info:
Summary
    SELinux is preventing /usr/bin/ntlm_auth (winbind_helper_t) "connectto" to
    /var/run/winbindd/pipe (initrc_t).

Detailed Description
    SELinux denied access requested by /usr/bin/ntlm_auth. It is not expected
    that this access is required by /usr/bin/ntlm_auth and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:winbind_helper_t
Target Context                root:system_r:initrc_t
Target Objects                /var/run/winbindd/pipe [ unix_stream_socket ]
Affected RPM Packages         samba-common-3.0.25b-1.el5_1.2 [application]
Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     buzzard.library.colostate.edu
Platform                      Linux buzzard.library.colostate.edu 2.6.18-53.el5
                              #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686 i686
Alert Count                   49
Line Numbers                  

Raw Audit Messages            

avc: denied { connectto } for comm="ntlm_auth" egid=0 euid=0
exe="/usr/bin/ntlm_auth" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path="/var/run/winbindd/pipe" pid=15098
scontext=user_u:system_r:winbind_helper_t:s0 sgid=0
subj=user_u:system_r:winbind_helper_t:s0 suid=0 tclass=unix_stream_socket
tcontext=root:system_r:initrc_t:s0 tty=pts1 uid=0
Comment 1 Daniel Walsh 2007-11-26 22:18:17 EST
This looks like a transition is not happening properly.  the process that is
listening on the unix_stream_socket is running as initrc_t.  I believe it should
be winbind running as winbind_t?  Could there be a labeling problem on
/usr/sbin/winbindd

restorecon -R -v /usr/sbin

If winbindd is mislabeled restart the service and the ntlm_auth should work.
Comment 2 Eric Hokanson 2007-11-27 12:58:12 EST
Looks okay:
-rwxr-xr-x  root root   system_u:object_r:winbind_exec_t winbindd

restorecon -R -v /usr/sbin didn't appear to change anything.
Comment 3 Daniel Walsh 2007-11-28 07:11:23 EST
ok could you see what process is running as initrc_t?

ps -eZ | grep initrc_t
Comment 4 Eric Hokanson 2007-11-28 13:28:41 EST
root:system_r:initrc_t           4529 ?        00:00:00 rpc.rquotad
system_u:system_r:initrc_t       5232 ?        00:00:00 libvirt_qemud
system_u:system_r:initrc_t       5251 ?        00:00:00 rhnsd
system_u:system_r:initrc_t       5300 ?        00:00:00 dnsmasq
system_u:system_r:initrc_t       5519 ?        00:32:21 java
system_u:system_r:initrc_t       5612 ?        00:00:00 miniserv.pl
root:system_r:initrc_t           6033 ?        00:00:00 mysqld_safe
root:system_r:initrc_t           6799 ?        00:00:00 smbd
root:system_r:initrc_t           6804 ?        00:00:00 smbd
root:system_r:initrc_t           6805 ?        00:01:00 nmbd
root:system_r:initrc_t           6826 ?        00:00:01 winbindd
root:system_r:initrc_t           6827 ?        00:00:04 winbindd
root:system_r:initrc_t           7412 ?        00:00:00 winbindd
root:system_r:initrc_t           8681 ?        00:00:00 smbd
root:system_r:initrc_t           9363 ?        00:00:00 smbd
root:system_r:initrc_t          10971 ?        00:00:00 winbindd
root:system_r:initrc_t          10972 ?        00:00:00 winbindd
root:system_r:initrc_t          10973 ?        00:00:00 winbindd
root:system_r:initrc_t          12721 ?        00:00:00 winbindd
Comment 5 Daniel Walsh 2007-12-01 08:20:03 EST
Well you have some kind of labeling problem.   All these processes should be
running in different file context.  I think you need to relabel your entire machine.

touch /.autorelabel; reboot 

should clean it up.
Comment 6 Eric Hokanson 2007-12-05 17:00:43 EST
Humm, not sure how the labeling problem occured as it's basicly a fresh install.
 However 'touch /.autorelabel' did fix the labels (now
system_u:system_r:initrc_t) but the error still occurs:

Summary
    SELinux is preventing /usr/bin/ntlm_auth (winbind_helper_t) "connectto" to
    /var/run/winbindd/pipe (initrc_t).

Detailed Description
    SELinux denied access requested by /usr/bin/ntlm_auth. It is not expected
    that this access is required by /usr/bin/ntlm_auth and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                root:system_r:winbind_helper_t:SystemLow-
                              SystemHigh
Target Context                system_u:system_r:initrc_t
Target Objects                /var/run/winbindd/pipe [ unix_stream_socket ]
Affected RPM Packages         samba-common-3.0.25b-1.el5_1.2 [application]
Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     buzzard.library.colostate.edu
Platform                      Linux buzzard.library.colostate.edu
                              2.6.18-53.1.4.el5 #1 SMP Wed Nov 14 10:37:33 EST
                              2007 i686 i686
Alert Count                   6
Line Numbers                  

Raw Audit Messages            

avc: denied { connectto } for comm="ntlm_auth" egid=0 euid=0
exe="/usr/bin/ntlm_auth" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path="/var/run/winbindd/pipe" pid=6242
scontext=root:system_r:winbind_helper_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:winbind_helper_t:s0-s0:c0.c1023 suid=0
tclass=unix_stream_socket tcontext=system_u:system_r:initrc_t:s0 tty=pts1 uid=0
Comment 7 Daniel Walsh 2007-12-06 10:10:20 EST
Which means windind is still running as initrc_t?  Is the rest of samba still
running as initrc_t?
Comment 8 Eric Hokanson 2007-12-06 15:17:38 EST
Found something else odd.  After the reboot the samba services were all running as
system_u:system_r:initrc_t.  Doing a 'service smb restart' changes smbd and nmbd
into user_r:system_r:initrc_t

It now looks like [ps -eZ]:

system_u:system_r:initrc_t       6769 ?        00:00:00 winbindd
system_u:system_r:initrc_t      11177 ?        00:00:00 winbindd
user_u:system_r:initrc_t        12516 ?        00:00:00 smbd
user_u:system_r:initrc_t        12519 ?        00:00:00 smbd
user_u:system_r:initrc_t        12520 ?        00:00:01 nmbd
user_u:system_r:initrc_t        12522 ?        00:00:00 smbd
Comment 9 Daniel Walsh 2007-12-06 16:52:47 EST
That is strange.

# ls -lZ /usr/sbin/smbd /usr/sbin/nmbd /usr/sbin/winbindd 
-rwxr-xr-x  root root system_u:object_r:nmbd_exec_t:s0 /usr/sbin/nmbd
-rwxr-xr-x  root root system_u:object_r:smbd_exec_t:s0 /usr/sbin/smbd
-rwxr-xr-x  root root system_u:object_r:winbind_exec_t:s0 /usr/sbin/winbindd
Comment 10 Daniel Walsh 2008-02-28 12:55:51 EST
Sorry this bug seems to have gotten lost.  Are you still having this problem?

What filesystem are you running on?

Could you try the U2 policy, preview available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

If you execute service smbd restart what context does smbd run as?
Comment 11 Eric Hokanson 2008-02-28 16:47:05 EST
We decided to use another box with selinux disabled but yes, the original box
still does not work.

It's an ext3 filesystem using LVM.

I installed the new policies and did a 'service smb restart' and 'service
winbind restart'.  I get ps -eZ:

root:system_r:initrc_t          23754 ?        00:00:00 smbd
root:system_r:initrc_t          23757 ?        00:00:00 smbd
root:system_r:initrc_t          23758 ?        00:00:00 nmbd
root:system_r:initrc_t          23788 ?        00:00:00 winbindd
root:system_r:initrc_t          23790 ?        00:00:00 winbindd
root:system_r:initrc_t          23797 ?        00:00:00 smbd
root:system_r:initrc_t          23798 ?        00:00:00 winbindd

So it's still very messed up.
Comment 12 Daniel Walsh 2008-02-28 16:52:57 EST
I think I know whats going on.

Did you disable trans?

getsebool -a | grep disable_trans

Comment 13 Eric Hokanson 2008-02-28 18:30:41 EST
Oh, yes I had disabled it in a last ditch effort to make it work.

nmbd_disable_trans --> on
smbd_disable_trans --> on
winbind_disable_trans --> on

Enabling them shows:

root:system_r:smbd_t            24838 ?        00:00:00 smbd
root:system_r:smbd_t            24841 ?        00:00:00 smbd
root:system_r:nmbd_t            24842 ?        00:00:00 nmbd
root:system_r:winbind_t         24863 ?        00:00:00 winbindd
root:system_r:winbind_t         24865 ?        00:00:00 winbindd

and ntlm_auth now seems to work OK.
Comment 14 Daniel Walsh 2008-02-29 11:27:49 EST
Ok, I am closing as notabug.

We have removed disable_trans from Fedora7 and beyond policy.  Hoping to replace
them with permissive domains.

Note You need to log in before you can comment on or make changes to this bug.