Bug 457893 - selinux prevents winbindd to write into /etc/samba/secrets.tdb
selinux prevents winbindd to write into /etc/samba/secrets.tdb
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity low
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2008-08-05 05:21 EDT by Ales Zelinka
Modified: 2008-09-08 17:00 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-08 17:00:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ales Zelinka 2008-08-05 05:21:00 EDT
Description of problem:
Selinux prevents winbind daemon from writing into /etc/samba/secrets.tdb if the file was not created by winbind itself. 

Winbind is only able to write into secrets.tdb if it is in samba_secrets_t
selinux domain but it is usually created as samba_etc_t. Windind creates the file in the right domain (afaik thanks to this rule: type_transition winbind_t samba_etc_t : file samba_secrets_t;)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.remove /etc/samba/secrets.tdb if it exists (it is not owned by any package, so it should not exist on a freshly installed system)
2. let the file be recreated by any application but winbindd:
(smbpasswd -a username, pdbedit -L, service smb start, net [rpc|ads] join,
3. try to start winbind service
Actual results:
"service winbind start" succeeds BUT:
- winbind exits almost immediately with this in /var/log/samba/winbindd.log:
[2008/08/05 10:59:12, 0] passdb/secrets.c:secrets_init(67)
  Failed to open /etc/samba/secrets.tdb
[2008/08/05 10:59:12, 0] nsswitch/winbindd.c:main(1010)
  Could not initialize domain trust account secrets. Giving up

- audit.log:
type=AVC msg=audit(1217948520.970:287): avc:  denied  { write } for  pid=593 comm="winbindd" name="secrets.tdb" dev=dm-0 ino=99170 scontext=root:system_r:winbind_t tcontext=root:object_r:samba_etc_t tclass=file
type=SYSCALL msg=audit(1217948520.970:287): arch=40000003 syscall=5 success=no exit=-13 a0=bfe9e720 a1=8042 a2=180 a3=8042 items=1 pid=593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="winbindd" exe="/usr/sbin/winbindd"
type=CWD msg=audit(1217948520.970:287):  cwd="/"
type=PATH msg=audit(1217948520.970:287): name="/etc/samba/secrets.tdb" flags=310  inode=1083053 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00

Expected results:
winbind is able to write to /etc/samba/secrets.tdb without the need for workaround/manual checking/changing the selinux domain of secrets.tdb.

Additional info:
workaround -  one of:
- let winbind create the file
- restorecon -R -v /etc/samba/secrets.tdb
Comment 1 Daniel Walsh 2008-08-08 11:04:58 EDT
# restorecon -R -v /etc/samba
fix the problem
Comment 2 Ales Zelinka 2008-08-08 11:24:31 EDT
(In reply to comment #1)
> Does 
> # restorecon -R -v /etc/samba
> fix the problem

Yes, it does. But is has to be run after the file is created by any of the samba utilities and before winbindd is started.
Comment 3 Daniel Walsh 2008-08-08 11:42:48 EDT
Yes this problem is fixed in RHEL5 and all new Fedora updates, but right now we do not plan on fixing it in RHEL4.

Note You need to log in before you can comment on or make changes to this bug.