Red Hat Bugzilla – Bug 466481
dbus/policykit enabled system-config-samba doesn't work with SELinux/targeted enforcing
Last modified: 2008-11-04 11:35:39 EST
Description of problem:
System-config-samba for F10 is made to use of PolicyKit to separate UI from code that needs privileges. If started with SELinux/targeted enforcing, the system dbus-daemon fails to start the associated privileged dbus service/mechanism (/usr/share/system-config-samba/system-config-samba-mechanism.py). If started in permissive mode, there are a lot more AVC alerts related to how the mechanism monitors the services, starts/stops/enables/disables them.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. "setenforce 1"
2. Start "system-config-services" from the command line
3. "setenforce 0", then repeat
In enforcing mode, it fails to start completely (see attached error message). In permissive mode, a lot of AVC alerts are logged (see attached ausearch and audit2allow output).
No error messages, system-config-services is running without generating AVC alerts.
The following allowed me to run s-c-samba in enforcing mode:
[root@gibraltar ~]# semanage fcontext -a -t initrc_exec_t /usr/share/system-config-samba/system-config-samba-mechanism.py
[root@gibraltar ~]# restorecon -v -R /usr/share/system-config-samba/
restorecon reset /usr/share/system-config-samba/system-config-samba-mechanism.py context system_u:object_r:usr_t:s0->system_u:object_r:initrc_exec_t:s0
You changes system-config-samba-mechanism?
Fixed in selinux-policy-3.5.12-1.fc10
(In reply to comment #1)
> You changes system-config-samba-mechanism?
I just added it and didn't get around to notifying you about it -- we added system-config-services-mechanism.py to the policy earlier.
Well then this is really not the same.
system-config-services is used to stop and start services so it needs to run initrc_t. But we really need a new policy to define what system-config-samba is allowed to do and then transition dbus to samba_config_t.
Do you have a quick explanation what this tool does? What files/directories does it edit? Does it execute any samba apps? Does it restart the samba service?
(In reply to comment #3)
> Well then this is really not the same.
> system-config-services is used to stop and start services so it needs to run
> initrc_t. But we really need a new policy to define what system-config-samba
> is allowed to do and then transition dbus to samba_config_t.
> Do you have a quick explanation what this tool does? What files/directories
> does it edit?
It directly edits /etc/samba/smb.conf and .../smbusers (well, saves into $file.new, then renames - let me know if this is a problem).
> Does it execute any samba apps?
It uses /usr/sbin/pdbedit and /usr/bin/smbpasswd to manipulate Samba users and passwords and /usr/bin/testparm to determine valid Samba configuration file options.
> Does it restart the samba service?
Yes, it uses /sbin/chkconfig and /sbin/service on the nmb and smb services. Unfortunately I haven't gotten around to changing s-c-samba so it would use the s-c-services dbus backend for this, so that'll have to wait for F11.
*** Bug 469550 has been marked as a duplicate of this bug. ***
*** Bug 469552 has been marked as a duplicate of this bug. ***
*** Bug 469721 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-3.5.13-14.fc10