This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 429726 - Allow samba to change unix passwords
Allow samba to change unix passwords
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
: Reopened
: 513601 (view as bug list)
Depends On:
Blocks: 582250
  Show dependency treegraph
 
Reported: 2008-01-22 13:42 EST by Orion Poplawski
Modified: 2012-09-26 10:00 EDT (History)
4 users (show)

See Also:
Fixed In Version: U2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 582250 (view as bug list)
Environment:
Last Closed: 2009-09-02 03:58:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
audit messages (26.36 KB, text/plain)
2009-01-30 11:32 EST, Orion Poplawski
no flags Details
samba config file (9.70 KB, text/plain)
2009-07-23 09:46 EDT, Milos Malik
no flags Details
samba daemon log file (571.72 KB, text/plain)
2009-07-23 09:47 EDT, Milos Malik
no flags Details

  None (edit)
Description Orion Poplawski 2008-01-22 13:42:36 EST
Description of problem:

I'm running our samba "domain controller" on a CentOS 5.1 box.  I'd like to
allow samba to change user passwords, but it doesn't work and there doesn't seem
to be an applicable boolean.  I changed to permissive mode and collected the avc
messages to see what is needed.  In the meantime I'll make my own module.

Lines from smb.conf:

   unix password sync = yes
   passwd program = /usr/bin/passwd %u


Denials:

type=AVC msg=audit(1201026962.964:1823785): avc:  denied  { search } for 
pid=710 comm="smbd" name="cracklib" dev=dm-4 ino=293152
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0
tclass=dir
type=AVC msg=audit(1201026962.964:1823785): avc:  denied  { read } for  pid=710
comm="smbd" name="pw_dict.pwd" dev=dm-4 ino=293153
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0
tclass=file
type=AVC msg=audit(1201026963.019:1823786): avc:  denied  { getattr } for 
pid=710 comm="smbd" name="pw_dict.pwi" dev=dm-4 ino=293154
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0
tclass=file
type=AVC msg=audit(1201026963.226:1823787): avc:  denied  { write } for  pid=710
comm="smbd" name=".pwd.lock" dev=dm-0 ino=229710
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=AVC msg=audit(1201026963.242:1823788): avc:  denied  { lock } for  pid=710
comm="smbd" name=".pwd.lock" dev=dm-0 ino=229710
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=AVC msg=audit(1201026963.294:1823789): avc:  denied  { write } for  pid=710
comm="smbd" name="etc" dev=dm-0 ino=229378 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1201026963.294:1823789): avc:  denied  { add_name } for 
pid=710 comm="smbd" name="nshadow" scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1201026963.294:1823789): avc:  denied  { create } for 
pid=710 comm="smbd" name="nshadow" scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1201026963.295:1823790): avc:  denied  { setattr } for 
pid=710 comm="smbd" name="nshadow" dev=dm-0 ino=229930
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=AVC msg=audit(1201026963.296:1823791): avc:  denied  { remove_name } for 
pid=710 comm="smbd" name="nshadow" dev=dm-0 ino=229930
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1201026963.296:1823791): avc:  denied  { rename } for 
pid=710 comm="smbd" name="nshadow" dev=dm-0 ino=229930
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=AVC msg=audit(1201026963.296:1823791): avc:  denied  { unlink } for 
pid=710 comm="smbd" name="shadow" dev=dm-0 ino=230449
scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-106.el5.3
Comment 1 Orion Poplawski 2008-01-22 13:44:59 EST
Hmm, can't load my own module:

# semodule -i smbpasswd.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow smbd_t
shadow_t:file { write create };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

# cat smbpasswd.te

module smbpasswd 1.0;

require {
        type crack_db_t;
        type etc_t;
        type smbd_t;
        type shadow_t;
        class dir { write remove_name search add_name };
        class file { rename setattr read lock create write getattr unlink };
}

#============= smbd_t ==============
allow smbd_t crack_db_t:dir search;
allow smbd_t crack_db_t:file { read getattr };
allow smbd_t etc_t:dir { write remove_name add_name };
allow smbd_t shadow_t:file { rename write setattr lock create unlink };
Comment 2 Daniel Walsh 2008-01-22 15:14:48 EST
Can you turn on the samba_domain_controller boolean

setsebool -P samba_domain_controller=1

I am not sure this is in U1 policy but it is in U2.

Preview on

http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 3 Orion Poplawski 2008-01-22 15:19:18 EST
(In reply to comment #2)
> Can you turn on the samba_domain_controller boolean
> 
> setsebool -P samba_domain_controller=1
> 
> I am not sure this is in U1 policy but it is in U2.

Sorry, forgot to mention that I had already turned that on to no effect.
Comment 4 Daniel Walsh 2008-01-23 16:31:51 EST
Did you try the updated u2 policy?
Comment 5 Orion Poplawski 2008-02-12 14:08:58 EST
Still doesn't work with selinux-policy-2.4.6-121.el5 
[root@earth etc]# getsebool -a | grep samba
samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_share_nfs --> on
use_samba_home_dirs --> off
[root@earth etc]# getsebool -a | grep smb
allow_smbd_anon_write --> off
smbd_disable_trans --> off

In enforcing I get:

type=AVC msg=audit(1202843048.759:129196): avc:  denied  { search } for 
pid=9292 comm="smbd" name="cracklib" dev=dm-4 ino=293152
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0
tclass=dir

In permissive I get:

type=AVC msg=audit(1202843260.233:129254): avc:  denied  { search } for 
pid=9691 comm="smbd" name="cracklib" dev=dm-4 ino=293152
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0
tclass=dir
type=AVC msg=audit(1202843260.233:129254): avc:  denied  { read } for  pid=9691
comm="smbd" name="pw_dict.pwd" dev=dm-4 ino=293153
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0
tclass=file
type=AVC msg=audit(1202843260.245:129255): avc:  denied  { getattr } for 
pid=9691 comm="smbd" path="/usr/share/cracklib/pw_dict.pwi" dev=dm-4 ino=293154
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0
tclass=file
type=AVC msg=audit(1202843260.389:129256): avc:  denied  { write } for  pid=9691
comm="smbd" name=".pwd.lock" dev=dm-0 ino=229710
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=AVC msg=audit(1202843260.398:129257): avc:  denied  { lock } for  pid=9691
comm="smbd" path="/etc/.pwd.lock" dev=dm-0 ino=229710
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=AVC msg=audit(1202843260.405:129258): avc:  denied  { write } for  pid=9691
comm="smbd" name="etc" dev=dm-0 ino=229378 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1202843260.405:129258): avc:  denied  { add_name } for 
pid=9691 comm="smbd" name="nshadow" scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1202843260.405:129258): avc:  denied  { create } for 
pid=9691 comm="smbd" name="nshadow" scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1202843260.406:129259): avc:  denied  { setattr } for 
pid=9691 comm="smbd" name="nshadow" dev=dm-0 ino=232312
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=AVC msg=audit(1202843260.406:129260): avc:  denied  { remove_name } for 
pid=9691 comm="smbd" name="nshadow" dev=dm-0 ino=232312
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1202843260.406:129260): avc:  denied  { rename } for 
pid=9691 comm="smbd" name="nshadow" dev=dm-0 ino=232312
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=AVC msg=audit(1202843260.406:129260): avc:  denied  { unlink } for 
pid=9691 comm="smbd" name="shadow" dev=dm-0 ino=231121
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
Comment 6 Daniel Walsh 2008-02-12 14:20:12 EST
This looks like samba is trying to do the changes directly rather then using the
helper applications?  According to these AVC messages the passwd command was
never execed?
Comment 7 Simo Sorce 2008-02-12 15:01:40 EST
unix password sync can be done in 2 ways:
1. using the password program
2. directly using pam if pam password change = yes

In the second case, samba will directly access the relevant resources as
configured in the pam stack
Comment 8 Daniel Walsh 2008-02-12 15:07:29 EST
Orion, does it work with

  unix password sync = no
Comment 9 Orion Poplawski 2009-01-29 17:38:16 EST
Finally getting around to this again.

I can't use "pam password change = yes" as I get the following error:

[2009/01/29 14:23:18, 0] libsmb/smbencrypt.c:decode_pw_buffer(553)
  decode_pw_buffer: incorrect password length (-612108435).
[2009/01/29 14:23:18, 0] libsmb/smbencrypt.c:decode_pw_buffer(554)
  decode_pw_buffer: check that 'encrypt passwords = yes'

encrypt passwords is set to yes.  With this the samba password is changed but the pam/unix/ldap password is not.

There is also "ldap password sync", but this fails to set the shadowLastchange/shadowExpire settings and so causes problems.

The other error message shown from passwd command:

passwd: root:system_r:smbd_t is not authorized to change the password of <user>
Comment 10 Daniel Walsh 2009-01-30 08:36:23 EST
Any additional avc messages?
Comment 11 Orion Poplawski 2009-01-30 11:32:39 EST
Created attachment 330485 [details]
audit messages

These are the audit messages.

Looks like some leaked file descriptors at the start, then:

type=USER_CHAUTHTOK msg=audit(1233332747.904:366376): user pid=928 uid=0 auid=0 subj=root:system_r:passwd_t:s0 msg='op=change password id=6421 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/12 res=failed)'

seems like the most relevant.  I'll like you be the final judge though...
Comment 12 Daniel Walsh 2009-02-07 07:25:34 EST
I have some fixes in selinux-policy-2.4.6-208.el5
Preview to U4 policy is available on 
http://people.redhat.com/dwalsh/SElinux/RHEL5
Comment 13 Orion Poplawski 2009-02-11 11:17:01 EST
Make that http://people.redhat.com/dwalsh/SELinux/RHEL5.  Any chance on reverting to "sha" sums in the repodata?  I don't think yum-3.2.8-9.el5 can handle sha256 sums.

dwalsh-selinux            100% |=========================| 1.2 kB    00:00     
primary.xml.gz            100% |=========================| 7.4 kB    00:00     
http://people.redhat.com/dwalsh/SELinux/RHEL5/repodata/primary.xml.gz: [Errno -3] Error performing checksum                                                               
Trying other mirror.                                                                 
Error: failure: repodata/primary.xml.gz from dwalsh-selinux: [Errno 256] No more mirrors to try.
Comment 14 Daniel Walsh 2009-03-13 13:51:45 EDT
I just put out  selinux-policy-2.4.6-217.el5 with sha1, I think.
Comment 16 Orion Poplawski 2009-03-16 10:58:11 EDT
I think you need to regenerate the repodata:

Downloading Packages:
(1/2): selinux-policy-2.4 100% |=========================| 384 kB    00:01
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/selinux-policy-2.4.6-217.el5.noarch.rpm: [Errno -1] Package does not match intended download
Trying other mirror.
(2/2): selinux-policy-tar 100% |=========================| 1.1 MB    00:04
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/selinux-policy-targeted-2.4.6-217.el5.noarch.rpm: [Errno -1] Package does not match intended download
Trying other mirror.

This is after a yum clean all.
Comment 17 Orion Poplawski 2009-03-16 11:00:51 EDT
Looks like the checksums in primary.xml are sha256.  Ah well.  I'll install by hand and see how things go.
Comment 22 Daniel Walsh 2009-07-21 15:44:40 EDT
I need avc messages,  What does /var/log/audit/audit.log show?
Comment 23 Milos Malik 2009-07-22 03:45:07 EDT
# rpm -qa selinux-policy\*
selinux-policy-2.4.6-253.el5
selinux-policy-targeted-2.4.6-253.el5
# rpm -qa samba\*
samba-common-3.0.33-3.14.el5
samba-3.0.33-3.14.el5
# rpm -qa passwd\*
passwd-0.73-1
# setenforce 1
# setsebool samba_domain_controller=1

Got following AVCs:

----
time->Wed Jul 22 03:28:23 2009
type=SYSCALL msg=audit(1248247703.771:54): arch=c000003e syscall=59 success=yes exit=0 a0=735cb10 a1=735ccf0 a2=735bfd0 a3=0 items=0 ppid=6609 pid=6610 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=root:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1248247703.771:54): avc:  denied  { append } for  pid=6610 comm="passwd" path="/var/log/samba/smbd.log" dev=dm-0 ino=29425705 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/share_info.tdb" dev=dm-0 ino=29425724 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="socket:[27972]" dev=sockfs ino=27972 scontext=root:system_r:passwd_t:s0 tcontext=root:system_r:smbd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/ntforms.tdb" dev=dm-0 ino=29425723 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/ntprinters.tdb" dev=dm-0 ino=29425722 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/account_policy.tdb" dev=dm-0 ino=29425716 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/group_mapping.tdb" dev=dm-0 ino=29425715 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/ntdrivers.tdb" dev=dm-0 ino=29425721 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/gencache.tdb" dev=dm-0 ino=29425713 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/locking.tdb" dev=dm-0 ino=29425712 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/brlock.tdb" dev=dm-0 ino=29425711 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/connections.tdb" dev=dm-0 ino=29425710 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/sessionid.tdb" dev=dm-0 ino=29425709 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/var/cache/samba/messages.tdb" dev=dm-0 ino=29425706 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { write } for  pid=6610 comm="passwd" path="/var/run/smbd.pid" dev=dm-0 ino=29393169 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:smbd_var_run_t:s0 tclass=file
type=AVC msg=audit(1248247703.771:54): avc:  denied  { read write } for  pid=6610 comm="passwd" path="/etc/samba/secrets.tdb" dev=dm-0 ino=16712965 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_secrets_t:s0 tclass=file
----
time->Wed Jul 22 03:28:23 2009
type=SYSCALL msg=audit(1248247703.780:56): arch=c000003e syscall=59 success=yes exit=0 a0=f916b10 a1=f916cf0 a2=f915fd0 a3=0 items=0 ppid=6609 pid=6611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=root:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1248247703.780:56): avc:  denied  { append } for  pid=6611 comm="passwd" path="/var/log/samba/smbd.log" dev=dm-0 ino=29425705 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/share_info.tdb" dev=dm-0 ino=29425724 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="socket:[27972]" dev=sockfs ino=27972 scontext=root:system_r:passwd_t:s0 tcontext=root:system_r:smbd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/ntforms.tdb" dev=dm-0 ino=29425723 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/ntprinters.tdb" dev=dm-0 ino=29425722 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/account_policy.tdb" dev=dm-0 ino=29425716 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/group_mapping.tdb" dev=dm-0 ino=29425715 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/ntdrivers.tdb" dev=dm-0 ino=29425721 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/gencache.tdb" dev=dm-0 ino=29425713 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/locking.tdb" dev=dm-0 ino=29425712 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/brlock.tdb" dev=dm-0 ino=29425711 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/connections.tdb" dev=dm-0 ino=29425710 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/sessionid.tdb" dev=dm-0 ino=29425709 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/var/cache/samba/messages.tdb" dev=dm-0 ino=29425706 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { write } for  pid=6611 comm="passwd" path="/var/run/smbd.pid" dev=dm-0 ino=29393169 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:smbd_var_run_t:s0 tclass=file
type=AVC msg=audit(1248247703.780:56): avc:  denied  { read write } for  pid=6611 comm="passwd" path="/etc/samba/secrets.tdb" dev=dm-0 ino=16712965 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_secrets_t:s0 tclass=file
----
time->Wed Jul 22 03:28:23 2009
type=SYSCALL msg=audit(1248247703.786:58): arch=c000003e syscall=59 success=yes exit=0 a0=1bbd8b10 a1=1bbd8cf0 a2=1bbd7fd0 a3=0 items=0 ppid=6609 pid=6612 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=root:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1248247703.786:58): avc:  denied  { append } for  pid=6612 comm="passwd" path="/var/log/samba/smbd.log" dev=dm-0 ino=29425705 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/share_info.tdb" dev=dm-0 ino=29425724 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="socket:[27972]" dev=sockfs ino=27972 scontext=root:system_r:passwd_t:s0 tcontext=root:system_r:smbd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/ntforms.tdb" dev=dm-0 ino=29425723 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/ntprinters.tdb" dev=dm-0 ino=29425722 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/account_policy.tdb" dev=dm-0 ino=29425716 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/group_mapping.tdb" dev=dm-0 ino=29425715 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/ntdrivers.tdb" dev=dm-0 ino=29425721 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/gencache.tdb" dev=dm-0 ino=29425713 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/locking.tdb" dev=dm-0 ino=29425712 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/brlock.tdb" dev=dm-0 ino=29425711 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/connections.tdb" dev=dm-0 ino=29425710 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/sessionid.tdb" dev=dm-0 ino=29425709 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/var/cache/samba/messages.tdb" dev=dm-0 ino=29425706 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { write } for  pid=6612 comm="passwd" path="/var/run/smbd.pid" dev=dm-0 ino=29393169 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:smbd_var_run_t:s0 tclass=file
type=AVC msg=audit(1248247703.786:58): avc:  denied  { read write } for  pid=6612 comm="passwd" path="/etc/samba/secrets.tdb" dev=dm-0 ino=16712965 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_secrets_t:s0 tclass=file
----
Comment 24 Daniel Walsh 2009-07-23 09:28:07 EDT
These are the allow rules that would be generated.

allow passwd_t samba_log_t:file append;
allow passwd_t samba_secrets_t:file { read write };
allow passwd_t samba_var_t:file { read write };
allow passwd_t smbd_t:tcp_socket { read write };
allow passwd_t smbd_var_run_t:file write;


The only one that makes any sense is the first on.  All others are leaked file descriptors from the smbd daemon.  I don't see why any one of these would prevent the changing of the password though.  

Is this working in permissive mode?

smbd should be changed to open all of these files with FD_CLOEXEC

fcntl(fd, F_SETFD, FD_CLOEXEC)

These are the files being leaked.

path="/var/log/samba/smbd.log"
path="/var/cache/samba/share_info.tdb"
path="socket:[27972]"
path="/var/cache/samba/ntforms.tdb"
path="/var/cache/samba/ntprinters.tdb"
path="/var/cache/samba/account_policy.tdb"
path="/var/cache/samba/group_mapping.tdb"
path="/var/cache/samba/ntdrivers.tdb"
path="/var/cache/samba/gencache.tdb"
path="/var/cache/samba/locking.tdb"
path="/var/cache/samba/brlock.tdb"
path="/var/cache/samba/connections.tdb"
path="/var/cache/samba/sessionid.tdb"
path="/var/cache/samba/messages.tdb"
path="/var/run/smbd.pid"
path="/etc/samba/secrets.tdb"

Simo do you see any file here that the password command needs to write to, in order to make this successful?  /var/log/samba/smbd.log?
Comment 25 Milos Malik 2009-07-23 09:46:14 EDT
Created attachment 354860 [details]
samba config file
Comment 26 Milos Malik 2009-07-23 09:47:24 EDT
Created attachment 354861 [details]
samba daemon log file
Comment 27 Milos Malik 2009-07-23 09:57:05 EDT
The password gets changed if I run the test in permissive mode. The test is available here:

http://cvs.devel.redhat.com/cgi-bin/cvsweb.cgi/tests/selinux-policy/Regression/bz429726-smbd-cannot-change-unix-passwords/

If you search for "Invoking" in the samba daemon log file, you will see following message:

passwd: root:system_r:smbd_t is not authorized to change the password of
Comment 28 Milos Malik 2009-07-23 09:59:57 EDT
I forgot to mention that the samba daemon log file was created in enforcing mode.
Comment 29 Daniel Walsh 2009-07-23 11:42:28 EDT
Malik can you add the rules above and see if it works in enforcing mode, or are the AVC's not telling us what the problem is.
Comment 30 Milos Malik 2009-07-24 09:35:03 EDT
Dan, you were right, AVCs are not telling us, where the problem is.

Even if I wrote/compiled/loaded module with rules mentioned in comment#24, the password change in enforcing mode was unsuccessful.

According to what is written in the samba daemon log file I think that the problem is caused by passwd, therefore I filed a bug report against passwd package bz#513601. Let's see what tmraz can tell us about it.
Comment 31 Daniel Walsh 2009-07-27 10:46:08 EDT
If you run semodule -DB and try the command, do you see any other avc messages?
Comment 32 Daniel Walsh 2009-07-27 11:19:09 EDT
*** Bug 513601 has been marked as a duplicate of this bug. ***
Comment 33 Daniel Walsh 2009-07-27 11:26:26 EDT
Fixed in selinux-policy-2.4.6-254.el5

I think I have found the problem, with changing passwords,  I dontaudite the leaks.
Comment 38 errata-xmlrpc 2009-09-02 03:58:21 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html

Note You need to log in before you can comment on or make changes to this bug.