Bug 458929 - selinux prevents net from writing into /etc/samba/secrets.tdb
Summary: selinux prevents net from writing into /etc/samba/secrets.tdb
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.2
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-13 09:33 UTC by Ales Zelinka
Modified: 2014-04-24 14:23 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-08 20:55:23 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Ales Zelinka 2008-08-13 09:33:31 UTC
Description of problem:
net (from samba-common package) can't write to /etc/samba/secrets.tdb if it has selinux type samba_etc_t instead of a samba_secrets_t.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-137.el5

How reproducible:
always


Steps to Reproduce:
setup samba as a domain member
mv /etc/samba/secrets.{tdb,tdb-backup}
smbpasswd -a root #after this the file should be recreated as samba_etc_t
net rpc join -Uadministrator%password

Actual results:
- join fails, " Failed to open /etc/samba/secrets.tdb" is logged by net command
- avc log:
type=AVC msg=audit(1218619830.312:196): avc:  denied  { write } for  pid=26555 comm="net" name="secrets.tdb" dev=sda3 ino=8060986 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=root:object_r:samba_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1218619830.312:196): arch=40000003 syscall=5 success=no exit=-13 a0=bff0ecd8 a1=8042 a2=180 a3=8042 items=0 ppid=3022 pid=26555 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1218619830.338:197): avc:  denied  { write } for  pid=26555 comm="net" name="secrets.tdb" dev=sda3 ino=8060986 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=root:object_r:samba_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1218619830.338:197): arch=40000003 syscall=5 success=no exit=-13 a0=bff0e988 a1=8042 a2=180 a3=8042 items=0 ppid=3022 pid=26555 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)


Expected results:
successfull domain join

Additional info:

Comment 1 Daniel Walsh 2008-08-13 15:56:36 UTC
This is a labeling problem 

restorecon -R -v /etc/samba 

should fix.

This file was moved to a different directory in newver versions of samba, So it should get labeled correctly in the future.


Note You need to log in before you can comment on or make changes to this bug.