Bug 458929 - selinux prevents net from writing into /etc/samba/secrets.tdb
selinux prevents net from writing into /etc/samba/secrets.tdb
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.2
All Linux
medium Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-13 05:33 EDT by Ales Zelinka
Modified: 2014-04-24 10:23 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-08 16:55:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ales Zelinka 2008-08-13 05:33:31 EDT
Description of problem:
net (from samba-common package) can't write to /etc/samba/secrets.tdb if it has selinux type samba_etc_t instead of a samba_secrets_t.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-137.el5

How reproducible:
always


Steps to Reproduce:
setup samba as a domain member
mv /etc/samba/secrets.{tdb,tdb-backup}
smbpasswd -a root #after this the file should be recreated as samba_etc_t
net rpc join -Uadministrator%password

Actual results:
- join fails, " Failed to open /etc/samba/secrets.tdb" is logged by net command
- avc log:
type=AVC msg=audit(1218619830.312:196): avc:  denied  { write } for  pid=26555 comm="net" name="secrets.tdb" dev=sda3 ino=8060986 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=root:object_r:samba_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1218619830.312:196): arch=40000003 syscall=5 success=no exit=-13 a0=bff0ecd8 a1=8042 a2=180 a3=8042 items=0 ppid=3022 pid=26555 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1218619830.338:197): avc:  denied  { write } for  pid=26555 comm="net" name="secrets.tdb" dev=sda3 ino=8060986 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=root:object_r:samba_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1218619830.338:197): arch=40000003 syscall=5 success=no exit=-13 a0=bff0e988 a1=8042 a2=180 a3=8042 items=0 ppid=3022 pid=26555 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)


Expected results:
successfull domain join

Additional info:
Comment 1 Daniel Walsh 2008-08-13 11:56:36 EDT
This is a labeling problem 

restorecon -R -v /etc/samba 

should fix.

This file was moved to a different directory in newver versions of samba, So it should get labeled correctly in the future.

Note You need to log in before you can comment on or make changes to this bug.