Description of problem: SELinux blocks the usage of ntlm_auth. Even disabling protection for windbind in the SELinux manager continues to block it. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-106.el5_1.3 selinux-policy-targeted-2.4.6-106.el5_1.3 libselinux-1.33.4-4.el5 Steps to Reproduce: 1. ntlm_auth --username=username --domain=domain Actual results: Blocks ntlm_auth Expected results: Allow ntlm_auth Additional info: Summary SELinux is preventing /usr/bin/ntlm_auth (winbind_helper_t) "connectto" to /var/run/winbindd/pipe (initrc_t). Detailed Description SELinux denied access requested by /usr/bin/ntlm_auth. It is not expected that this access is required by /usr/bin/ntlm_auth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:winbind_helper_t Target Context root:system_r:initrc_t Target Objects /var/run/winbindd/pipe [ unix_stream_socket ] Affected RPM Packages samba-common-3.0.25b-1.el5_1.2 [application] Policy RPM selinux-policy-2.4.6-106.el5_1.3 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name buzzard.library.colostate.edu Platform Linux buzzard.library.colostate.edu 2.6.18-53.el5 #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686 i686 Alert Count 49 Line Numbers Raw Audit Messages avc: denied { connectto } for comm="ntlm_auth" egid=0 euid=0 exe="/usr/bin/ntlm_auth" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/var/run/winbindd/pipe" pid=15098 scontext=user_u:system_r:winbind_helper_t:s0 sgid=0 subj=user_u:system_r:winbind_helper_t:s0 suid=0 tclass=unix_stream_socket tcontext=root:system_r:initrc_t:s0 tty=pts1 uid=0
This looks like a transition is not happening properly. the process that is listening on the unix_stream_socket is running as initrc_t. I believe it should be winbind running as winbind_t? Could there be a labeling problem on /usr/sbin/winbindd restorecon -R -v /usr/sbin If winbindd is mislabeled restart the service and the ntlm_auth should work.
Looks okay: -rwxr-xr-x root root system_u:object_r:winbind_exec_t winbindd restorecon -R -v /usr/sbin didn't appear to change anything.
ok could you see what process is running as initrc_t? ps -eZ | grep initrc_t
root:system_r:initrc_t 4529 ? 00:00:00 rpc.rquotad system_u:system_r:initrc_t 5232 ? 00:00:00 libvirt_qemud system_u:system_r:initrc_t 5251 ? 00:00:00 rhnsd system_u:system_r:initrc_t 5300 ? 00:00:00 dnsmasq system_u:system_r:initrc_t 5519 ? 00:32:21 java system_u:system_r:initrc_t 5612 ? 00:00:00 miniserv.pl root:system_r:initrc_t 6033 ? 00:00:00 mysqld_safe root:system_r:initrc_t 6799 ? 00:00:00 smbd root:system_r:initrc_t 6804 ? 00:00:00 smbd root:system_r:initrc_t 6805 ? 00:01:00 nmbd root:system_r:initrc_t 6826 ? 00:00:01 winbindd root:system_r:initrc_t 6827 ? 00:00:04 winbindd root:system_r:initrc_t 7412 ? 00:00:00 winbindd root:system_r:initrc_t 8681 ? 00:00:00 smbd root:system_r:initrc_t 9363 ? 00:00:00 smbd root:system_r:initrc_t 10971 ? 00:00:00 winbindd root:system_r:initrc_t 10972 ? 00:00:00 winbindd root:system_r:initrc_t 10973 ? 00:00:00 winbindd root:system_r:initrc_t 12721 ? 00:00:00 winbindd
Well you have some kind of labeling problem. All these processes should be running in different file context. I think you need to relabel your entire machine. touch /.autorelabel; reboot should clean it up.
Humm, not sure how the labeling problem occured as it's basicly a fresh install. However 'touch /.autorelabel' did fix the labels (now system_u:system_r:initrc_t) but the error still occurs: Summary SELinux is preventing /usr/bin/ntlm_auth (winbind_helper_t) "connectto" to /var/run/winbindd/pipe (initrc_t). Detailed Description SELinux denied access requested by /usr/bin/ntlm_auth. It is not expected that this access is required by /usr/bin/ntlm_auth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context root:system_r:winbind_helper_t:SystemLow- SystemHigh Target Context system_u:system_r:initrc_t Target Objects /var/run/winbindd/pipe [ unix_stream_socket ] Affected RPM Packages samba-common-3.0.25b-1.el5_1.2 [application] Policy RPM selinux-policy-2.4.6-106.el5_1.3 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name buzzard.library.colostate.edu Platform Linux buzzard.library.colostate.edu 2.6.18-53.1.4.el5 #1 SMP Wed Nov 14 10:37:33 EST 2007 i686 i686 Alert Count 6 Line Numbers Raw Audit Messages avc: denied { connectto } for comm="ntlm_auth" egid=0 euid=0 exe="/usr/bin/ntlm_auth" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/var/run/winbindd/pipe" pid=6242 scontext=root:system_r:winbind_helper_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:winbind_helper_t:s0-s0:c0.c1023 suid=0 tclass=unix_stream_socket tcontext=system_u:system_r:initrc_t:s0 tty=pts1 uid=0
Which means windind is still running as initrc_t? Is the rest of samba still running as initrc_t?
Found something else odd. After the reboot the samba services were all running as system_u:system_r:initrc_t. Doing a 'service smb restart' changes smbd and nmbd into user_r:system_r:initrc_t It now looks like [ps -eZ]: system_u:system_r:initrc_t 6769 ? 00:00:00 winbindd system_u:system_r:initrc_t 11177 ? 00:00:00 winbindd user_u:system_r:initrc_t 12516 ? 00:00:00 smbd user_u:system_r:initrc_t 12519 ? 00:00:00 smbd user_u:system_r:initrc_t 12520 ? 00:00:01 nmbd user_u:system_r:initrc_t 12522 ? 00:00:00 smbd
That is strange. # ls -lZ /usr/sbin/smbd /usr/sbin/nmbd /usr/sbin/winbindd -rwxr-xr-x root root system_u:object_r:nmbd_exec_t:s0 /usr/sbin/nmbd -rwxr-xr-x root root system_u:object_r:smbd_exec_t:s0 /usr/sbin/smbd -rwxr-xr-x root root system_u:object_r:winbind_exec_t:s0 /usr/sbin/winbindd
Sorry this bug seems to have gotten lost. Are you still having this problem? What filesystem are you running on? Could you try the U2 policy, preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5 If you execute service smbd restart what context does smbd run as?
We decided to use another box with selinux disabled but yes, the original box still does not work. It's an ext3 filesystem using LVM. I installed the new policies and did a 'service smb restart' and 'service winbind restart'. I get ps -eZ: root:system_r:initrc_t 23754 ? 00:00:00 smbd root:system_r:initrc_t 23757 ? 00:00:00 smbd root:system_r:initrc_t 23758 ? 00:00:00 nmbd root:system_r:initrc_t 23788 ? 00:00:00 winbindd root:system_r:initrc_t 23790 ? 00:00:00 winbindd root:system_r:initrc_t 23797 ? 00:00:00 smbd root:system_r:initrc_t 23798 ? 00:00:00 winbindd So it's still very messed up.
I think I know whats going on. Did you disable trans? getsebool -a | grep disable_trans
Oh, yes I had disabled it in a last ditch effort to make it work. nmbd_disable_trans --> on smbd_disable_trans --> on winbind_disable_trans --> on Enabling them shows: root:system_r:smbd_t 24838 ? 00:00:00 smbd root:system_r:smbd_t 24841 ? 00:00:00 smbd root:system_r:nmbd_t 24842 ? 00:00:00 nmbd root:system_r:winbind_t 24863 ? 00:00:00 winbindd root:system_r:winbind_t 24865 ? 00:00:00 winbindd and ntlm_auth now seems to work OK.
Ok, I am closing as notabug. We have removed disable_trans from Fedora7 and beyond policy. Hoping to replace them with permissive domains.