Description of problem: I'm running our samba "domain controller" on a CentOS 5.1 box. I'd like to allow samba to change user passwords, but it doesn't work and there doesn't seem to be an applicable boolean. I changed to permissive mode and collected the avc messages to see what is needed. In the meantime I'll make my own module. Lines from smb.conf: unix password sync = yes passwd program = /usr/bin/passwd %u Denials: type=AVC msg=audit(1201026962.964:1823785): avc: denied { search } for pid=710 comm="smbd" name="cracklib" dev=dm-4 ino=293152 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir type=AVC msg=audit(1201026962.964:1823785): avc: denied { read } for pid=710 comm="smbd" name="pw_dict.pwd" dev=dm-4 ino=293153 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file type=AVC msg=audit(1201026963.019:1823786): avc: denied { getattr } for pid=710 comm="smbd" name="pw_dict.pwi" dev=dm-4 ino=293154 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file type=AVC msg=audit(1201026963.226:1823787): avc: denied { write } for pid=710 comm="smbd" name=".pwd.lock" dev=dm-0 ino=229710 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1201026963.242:1823788): avc: denied { lock } for pid=710 comm="smbd" name=".pwd.lock" dev=dm-0 ino=229710 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1201026963.294:1823789): avc: denied { write } for pid=710 comm="smbd" name="etc" dev=dm-0 ino=229378 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1201026963.294:1823789): avc: denied { add_name } for pid=710 comm="smbd" name="nshadow" scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1201026963.294:1823789): avc: denied { create } for pid=710 comm="smbd" name="nshadow" scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1201026963.295:1823790): avc: denied { setattr } for pid=710 comm="smbd" name="nshadow" dev=dm-0 ino=229930 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1201026963.296:1823791): avc: denied { remove_name } for pid=710 comm="smbd" name="nshadow" dev=dm-0 ino=229930 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1201026963.296:1823791): avc: denied { rename } for pid=710 comm="smbd" name="nshadow" dev=dm-0 ino=229930 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1201026963.296:1823791): avc: denied { unlink } for pid=710 comm="smbd" name="shadow" dev=dm-0 ino=230449 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-2.4.6-106.el5.3
Hmm, can't load my own module: # semodule -i smbpasswd.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow smbd_t shadow_t:file { write create }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! # cat smbpasswd.te module smbpasswd 1.0; require { type crack_db_t; type etc_t; type smbd_t; type shadow_t; class dir { write remove_name search add_name }; class file { rename setattr read lock create write getattr unlink }; } #============= smbd_t ============== allow smbd_t crack_db_t:dir search; allow smbd_t crack_db_t:file { read getattr }; allow smbd_t etc_t:dir { write remove_name add_name }; allow smbd_t shadow_t:file { rename write setattr lock create unlink };
Can you turn on the samba_domain_controller boolean setsebool -P samba_domain_controller=1 I am not sure this is in U1 policy but it is in U2. Preview on http://people.redhat.com/dwalsh/SELinux/RHEL5
(In reply to comment #2) > Can you turn on the samba_domain_controller boolean > > setsebool -P samba_domain_controller=1 > > I am not sure this is in U1 policy but it is in U2. Sorry, forgot to mention that I had already turned that on to no effect.
Did you try the updated u2 policy?
Still doesn't work with selinux-policy-2.4.6-121.el5 [root@earth etc]# getsebool -a | grep samba samba_domain_controller --> on samba_enable_home_dirs --> on samba_export_all_ro --> off samba_export_all_rw --> off samba_share_nfs --> on use_samba_home_dirs --> off [root@earth etc]# getsebool -a | grep smb allow_smbd_anon_write --> off smbd_disable_trans --> off In enforcing I get: type=AVC msg=audit(1202843048.759:129196): avc: denied { search } for pid=9292 comm="smbd" name="cracklib" dev=dm-4 ino=293152 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir In permissive I get: type=AVC msg=audit(1202843260.233:129254): avc: denied { search } for pid=9691 comm="smbd" name="cracklib" dev=dm-4 ino=293152 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir type=AVC msg=audit(1202843260.233:129254): avc: denied { read } for pid=9691 comm="smbd" name="pw_dict.pwd" dev=dm-4 ino=293153 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file type=AVC msg=audit(1202843260.245:129255): avc: denied { getattr } for pid=9691 comm="smbd" path="/usr/share/cracklib/pw_dict.pwi" dev=dm-4 ino=293154 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file type=AVC msg=audit(1202843260.389:129256): avc: denied { write } for pid=9691 comm="smbd" name=".pwd.lock" dev=dm-0 ino=229710 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1202843260.398:129257): avc: denied { lock } for pid=9691 comm="smbd" path="/etc/.pwd.lock" dev=dm-0 ino=229710 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1202843260.405:129258): avc: denied { write } for pid=9691 comm="smbd" name="etc" dev=dm-0 ino=229378 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1202843260.405:129258): avc: denied { add_name } for pid=9691 comm="smbd" name="nshadow" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1202843260.405:129258): avc: denied { create } for pid=9691 comm="smbd" name="nshadow" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1202843260.406:129259): avc: denied { setattr } for pid=9691 comm="smbd" name="nshadow" dev=dm-0 ino=232312 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1202843260.406:129260): avc: denied { remove_name } for pid=9691 comm="smbd" name="nshadow" dev=dm-0 ino=232312 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1202843260.406:129260): avc: denied { rename } for pid=9691 comm="smbd" name="nshadow" dev=dm-0 ino=232312 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1202843260.406:129260): avc: denied { unlink } for pid=9691 comm="smbd" name="shadow" dev=dm-0 ino=231121 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
This looks like samba is trying to do the changes directly rather then using the helper applications? According to these AVC messages the passwd command was never execed?
unix password sync can be done in 2 ways: 1. using the password program 2. directly using pam if pam password change = yes In the second case, samba will directly access the relevant resources as configured in the pam stack
Orion, does it work with unix password sync = no
Finally getting around to this again. I can't use "pam password change = yes" as I get the following error: [2009/01/29 14:23:18, 0] libsmb/smbencrypt.c:decode_pw_buffer(553) decode_pw_buffer: incorrect password length (-612108435). [2009/01/29 14:23:18, 0] libsmb/smbencrypt.c:decode_pw_buffer(554) decode_pw_buffer: check that 'encrypt passwords = yes' encrypt passwords is set to yes. With this the samba password is changed but the pam/unix/ldap password is not. There is also "ldap password sync", but this fails to set the shadowLastchange/shadowExpire settings and so causes problems. The other error message shown from passwd command: passwd: root:system_r:smbd_t is not authorized to change the password of <user>
Any additional avc messages?
Created attachment 330485 [details] audit messages These are the audit messages. Looks like some leaked file descriptors at the start, then: type=USER_CHAUTHTOK msg=audit(1233332747.904:366376): user pid=928 uid=0 auid=0 subj=root:system_r:passwd_t:s0 msg='op=change password id=6421 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/12 res=failed)' seems like the most relevant. I'll like you be the final judge though...
I have some fixes in selinux-policy-2.4.6-208.el5 Preview to U4 policy is available on http://people.redhat.com/dwalsh/SElinux/RHEL5
Make that http://people.redhat.com/dwalsh/SELinux/RHEL5. Any chance on reverting to "sha" sums in the repodata? I don't think yum-3.2.8-9.el5 can handle sha256 sums. dwalsh-selinux 100% |=========================| 1.2 kB 00:00 primary.xml.gz 100% |=========================| 7.4 kB 00:00 http://people.redhat.com/dwalsh/SELinux/RHEL5/repodata/primary.xml.gz: [Errno -3] Error performing checksum Trying other mirror. Error: failure: repodata/primary.xml.gz from dwalsh-selinux: [Errno 256] No more mirrors to try.
I just put out selinux-policy-2.4.6-217.el5 with sha1, I think.
I think you need to regenerate the repodata: Downloading Packages: (1/2): selinux-policy-2.4 100% |=========================| 384 kB 00:01 http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/selinux-policy-2.4.6-217.el5.noarch.rpm: [Errno -1] Package does not match intended download Trying other mirror. (2/2): selinux-policy-tar 100% |=========================| 1.1 MB 00:04 http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/selinux-policy-targeted-2.4.6-217.el5.noarch.rpm: [Errno -1] Package does not match intended download Trying other mirror. This is after a yum clean all.
Looks like the checksums in primary.xml are sha256. Ah well. I'll install by hand and see how things go.
I need avc messages, What does /var/log/audit/audit.log show?
# rpm -qa selinux-policy\* selinux-policy-2.4.6-253.el5 selinux-policy-targeted-2.4.6-253.el5 # rpm -qa samba\* samba-common-3.0.33-3.14.el5 samba-3.0.33-3.14.el5 # rpm -qa passwd\* passwd-0.73-1 # setenforce 1 # setsebool samba_domain_controller=1 Got following AVCs: ---- time->Wed Jul 22 03:28:23 2009 type=SYSCALL msg=audit(1248247703.771:54): arch=c000003e syscall=59 success=yes exit=0 a0=735cb10 a1=735ccf0 a2=735bfd0 a3=0 items=0 ppid=6609 pid=6610 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=root:system_r:passwd_t:s0 key=(null) type=AVC msg=audit(1248247703.771:54): avc: denied { append } for pid=6610 comm="passwd" path="/var/log/samba/smbd.log" dev=dm-0 ino=29425705 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/share_info.tdb" dev=dm-0 ino=29425724 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="socket:[27972]" dev=sockfs ino=27972 scontext=root:system_r:passwd_t:s0 tcontext=root:system_r:smbd_t:s0 tclass=tcp_socket type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/ntforms.tdb" dev=dm-0 ino=29425723 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/ntprinters.tdb" dev=dm-0 ino=29425722 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/account_policy.tdb" dev=dm-0 ino=29425716 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/group_mapping.tdb" dev=dm-0 ino=29425715 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/ntdrivers.tdb" dev=dm-0 ino=29425721 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/gencache.tdb" dev=dm-0 ino=29425713 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/locking.tdb" dev=dm-0 ino=29425712 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/brlock.tdb" dev=dm-0 ino=29425711 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/connections.tdb" dev=dm-0 ino=29425710 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/sessionid.tdb" dev=dm-0 ino=29425709 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/var/cache/samba/messages.tdb" dev=dm-0 ino=29425706 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { write } for pid=6610 comm="passwd" path="/var/run/smbd.pid" dev=dm-0 ino=29393169 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:smbd_var_run_t:s0 tclass=file type=AVC msg=audit(1248247703.771:54): avc: denied { read write } for pid=6610 comm="passwd" path="/etc/samba/secrets.tdb" dev=dm-0 ino=16712965 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_secrets_t:s0 tclass=file ---- time->Wed Jul 22 03:28:23 2009 type=SYSCALL msg=audit(1248247703.780:56): arch=c000003e syscall=59 success=yes exit=0 a0=f916b10 a1=f916cf0 a2=f915fd0 a3=0 items=0 ppid=6609 pid=6611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=root:system_r:passwd_t:s0 key=(null) type=AVC msg=audit(1248247703.780:56): avc: denied { append } for pid=6611 comm="passwd" path="/var/log/samba/smbd.log" dev=dm-0 ino=29425705 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/share_info.tdb" dev=dm-0 ino=29425724 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="socket:[27972]" dev=sockfs ino=27972 scontext=root:system_r:passwd_t:s0 tcontext=root:system_r:smbd_t:s0 tclass=tcp_socket type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/ntforms.tdb" dev=dm-0 ino=29425723 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/ntprinters.tdb" dev=dm-0 ino=29425722 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/account_policy.tdb" dev=dm-0 ino=29425716 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/group_mapping.tdb" dev=dm-0 ino=29425715 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/ntdrivers.tdb" dev=dm-0 ino=29425721 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/gencache.tdb" dev=dm-0 ino=29425713 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/locking.tdb" dev=dm-0 ino=29425712 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/brlock.tdb" dev=dm-0 ino=29425711 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/connections.tdb" dev=dm-0 ino=29425710 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/sessionid.tdb" dev=dm-0 ino=29425709 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/var/cache/samba/messages.tdb" dev=dm-0 ino=29425706 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { write } for pid=6611 comm="passwd" path="/var/run/smbd.pid" dev=dm-0 ino=29393169 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:smbd_var_run_t:s0 tclass=file type=AVC msg=audit(1248247703.780:56): avc: denied { read write } for pid=6611 comm="passwd" path="/etc/samba/secrets.tdb" dev=dm-0 ino=16712965 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_secrets_t:s0 tclass=file ---- time->Wed Jul 22 03:28:23 2009 type=SYSCALL msg=audit(1248247703.786:58): arch=c000003e syscall=59 success=yes exit=0 a0=1bbd8b10 a1=1bbd8cf0 a2=1bbd7fd0 a3=0 items=0 ppid=6609 pid=6612 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=root:system_r:passwd_t:s0 key=(null) type=AVC msg=audit(1248247703.786:58): avc: denied { append } for pid=6612 comm="passwd" path="/var/log/samba/smbd.log" dev=dm-0 ino=29425705 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/share_info.tdb" dev=dm-0 ino=29425724 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="socket:[27972]" dev=sockfs ino=27972 scontext=root:system_r:passwd_t:s0 tcontext=root:system_r:smbd_t:s0 tclass=tcp_socket type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/ntforms.tdb" dev=dm-0 ino=29425723 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/ntprinters.tdb" dev=dm-0 ino=29425722 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/account_policy.tdb" dev=dm-0 ino=29425716 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/group_mapping.tdb" dev=dm-0 ino=29425715 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/ntdrivers.tdb" dev=dm-0 ino=29425721 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/gencache.tdb" dev=dm-0 ino=29425713 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/locking.tdb" dev=dm-0 ino=29425712 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/brlock.tdb" dev=dm-0 ino=29425711 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/connections.tdb" dev=dm-0 ino=29425710 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/sessionid.tdb" dev=dm-0 ino=29425709 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/var/cache/samba/messages.tdb" dev=dm-0 ino=29425706 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_var_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { write } for pid=6612 comm="passwd" path="/var/run/smbd.pid" dev=dm-0 ino=29393169 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:smbd_var_run_t:s0 tclass=file type=AVC msg=audit(1248247703.786:58): avc: denied { read write } for pid=6612 comm="passwd" path="/etc/samba/secrets.tdb" dev=dm-0 ino=16712965 scontext=root:system_r:passwd_t:s0 tcontext=root:object_r:samba_secrets_t:s0 tclass=file ----
These are the allow rules that would be generated. allow passwd_t samba_log_t:file append; allow passwd_t samba_secrets_t:file { read write }; allow passwd_t samba_var_t:file { read write }; allow passwd_t smbd_t:tcp_socket { read write }; allow passwd_t smbd_var_run_t:file write; The only one that makes any sense is the first on. All others are leaked file descriptors from the smbd daemon. I don't see why any one of these would prevent the changing of the password though. Is this working in permissive mode? smbd should be changed to open all of these files with FD_CLOEXEC fcntl(fd, F_SETFD, FD_CLOEXEC) These are the files being leaked. path="/var/log/samba/smbd.log" path="/var/cache/samba/share_info.tdb" path="socket:[27972]" path="/var/cache/samba/ntforms.tdb" path="/var/cache/samba/ntprinters.tdb" path="/var/cache/samba/account_policy.tdb" path="/var/cache/samba/group_mapping.tdb" path="/var/cache/samba/ntdrivers.tdb" path="/var/cache/samba/gencache.tdb" path="/var/cache/samba/locking.tdb" path="/var/cache/samba/brlock.tdb" path="/var/cache/samba/connections.tdb" path="/var/cache/samba/sessionid.tdb" path="/var/cache/samba/messages.tdb" path="/var/run/smbd.pid" path="/etc/samba/secrets.tdb" Simo do you see any file here that the password command needs to write to, in order to make this successful? /var/log/samba/smbd.log?
Created attachment 354860 [details] samba config file
Created attachment 354861 [details] samba daemon log file
The password gets changed if I run the test in permissive mode. The test is available here: http://cvs.devel.redhat.com/cgi-bin/cvsweb.cgi/tests/selinux-policy/Regression/bz429726-smbd-cannot-change-unix-passwords/ If you search for "Invoking" in the samba daemon log file, you will see following message: passwd: root:system_r:smbd_t is not authorized to change the password of
I forgot to mention that the samba daemon log file was created in enforcing mode.
Malik can you add the rules above and see if it works in enforcing mode, or are the AVC's not telling us what the problem is.
Dan, you were right, AVCs are not telling us, where the problem is. Even if I wrote/compiled/loaded module with rules mentioned in comment#24, the password change in enforcing mode was unsuccessful. According to what is written in the samba daemon log file I think that the problem is caused by passwd, therefore I filed a bug report against passwd package bz#513601. Let's see what tmraz can tell us about it.
If you run semodule -DB and try the command, do you see any other avc messages?
*** Bug 513601 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-2.4.6-254.el5 I think I have found the problem, with changing passwords, I dontaudite the leaks.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html