Bug 428009 - tools don't work when selinux is enabled
tools don't work when selinux is enabled
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora EPEL
Classification: Fedora
Component: smbldap-tools (Show other bugs)
el5
All Linux
low Severity medium
: ---
: ---
Assigned To: Paul Howarth
Fedora Extras Quality Assurance
ActualBug
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-08 12:22 EST by Gordon Messmer
Modified: 2009-08-27 09:28 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-27 09:28:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gordon Messmer 2008-01-08 12:22:29 EST
Description of problem:
When SELinux is enforcing, the smb server is restricted in what programs it can
execute, controlled by the samba_domain_controller boolean.  If that boolean is
on, then smbd can execute binaries with the context groupadd_exec_t,
useradd_exec_t, and passwd_exec_t.

It would help if the smbldap-tools package came with a policy file that set its
script contexts:
/etc/selinux/targeted/contexts/files/smbldap-tools:
/usr/sbin/smbldap-group.*    system_u:object_r:groupadd_exec_t:s0
/usr/sbin/smbldap-user.*    system_u:object_r:useradd_exec_t:s0
/usr/sbin/smbldap-passwd    system_u:object_r:passwd_exec_t:s0

Version-Release number of selected component (if applicable):
0.9.4-1
Comment 1 Paul Howarth 2008-01-08 12:42:58 EST
Wouldn't be better just to get this added to selinux-policy?

I'll add Dan Walsh as a Cc and see if he agrees.
Comment 2 Daniel Walsh 2008-01-08 13:26:13 EST
Well not really since these apps are going to comunicate with LDAP to do the
useradd, groupadd stuff.

useradd_t/groupadd_t can not talk to ldap.

So this is better to stay in the smbd_t domain and connect to LDAP.

Comment 3 Gordon Messmer 2008-01-08 14:13:09 EST
That doesn't address the problem that SELinux won't let smbd_t execute those
scripts.

Should I, then, replace all of the above contexts with
samba_unconfined_script_exec_t ?

semanage fcontext -a -t samba_unconfined_script_exec_t "/usr/sbin/smbldap.*"
Comment 4 Daniel Walsh 2008-01-08 14:27:24 EST
Ok then we need to allow samba to execute the scripts

corecmd_exec_bin(smbd_t)

When the boolean is set?
Comment 5 Daniel Walsh 2008-01-08 14:29:16 EST
Current selinux-policy has corecmd_exec_bin(smbd_t)


So what avc messages are you getting?
Comment 6 Gordon Messmer 2008-01-18 18:16:29 EST
I get these:

type=AVC msg=audit(1200697365.287:115): avc:  denied  { execute } for  pid=3658
comm="sh" name="smbldap-useradd" dev=sda1 ino=340100
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1200697365.287:115): arch=c000003e syscall=59 success=no
exit=-13 a0=4a1a2e0 a1=4a1a490 a2=4a1a310 a3=8 items=0 ppid=3657 pid=3658
auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1200697365.287:116): avc:  denied  { getattr } for  pid=3658
comm="sh" path="/usr/sbin/smbldap-useradd" dev=sda1 ino=340100
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1200697365.287:116): arch=c000003e syscall=4 success=no
exit=-13 a0=4a1a2e0 a1=7fff24690e30 a2=7fff24690e30 a3=8 items=0 ppid=3657
pid=3658 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0
key=(null)
type=AVC msg=audit(1200697365.287:117): avc:  denied  { getattr } for  pid=3658
comm="sh" path="/usr/sbin/smbldap-useradd" dev=sda1 ino=340100
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1200697365.287:117): arch=c000003e syscall=4 success=no
exit=-13 a0=4a1a2e0 a1=7fff24690d60 a2=7fff24690d60 a3=8 items=0 ppid=3657
pid=3658 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="sh" exe="/bin/bash" subj=user_u:system_r:smbd_t:s0
key=(null)

# getsebool -a | grep samba
samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
# getenforce 
Enforcing
Comment 7 Daniel Walsh 2008-01-21 15:01:30 EST
sbin_t does not exist in Fedora 8.
Comment 8 Paul Howarth 2008-01-30 08:06:37 EST
Fedora 8 would also show a samba_run_unconfined boolean in the getsebool output.

Are you actually running RHEL5 or a clone thereof?
Comment 9 Gordon Messmer 2008-02-04 21:34:31 EST
I am: Centos 5.

I thought I filed this against rhel5, and mentioned the platform in the
description.  I can only assume that I'm losing my mind, since I failed to do
both.  I'm terribly sorry for that.
Comment 10 Paul Howarth 2008-02-06 10:17:13 EST
Short term, this is going to need a local policy module to add

corecmd_exec_bin(smbd_t)

and maybe other things (you'll probably need to experiment a bit).

Dan, is this sort of problem likely to be addressed in RHEL 5.2 or is the update
policy for RHEL too conservative to allow that?
Comment 11 Daniel Walsh 2008-02-06 15:36:27 EST
U2 policy is currently available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

Looks like it has corecmd_exec_bin(smbd_t)
Comment 12 Paul Howarth 2009-03-19 12:16:44 EDT
Does the 5.2 or 5.3 policy fix your issues Gordon?
Comment 13 Paul Howarth 2009-04-23 10:46:37 EDT
Ping?
Comment 14 Paul Howarth 2009-08-27 09:28:48 EDT
No response from reporter, assumed fixed.

Note You need to log in before you can comment on or make changes to this bug.