Description of problem: System-config-samba for F10 is made to use of PolicyKit to separate UI from code that needs privileges. If started with SELinux/targeted enforcing, the system dbus-daemon fails to start the associated privileged dbus service/mechanism (/usr/share/system-config-samba/system-config-samba-mechanism.py). If started in permissive mode, there are a lot more AVC alerts related to how the mechanism monitors the services, starts/stops/enables/disables them. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.10-3.fc10.noarch system-config-samba-1.2.64-1.fc10.noarch How reproducible: Reproducible. Steps to Reproduce: 1. "setenforce 1" 2. Start "system-config-services" from the command line 3. "setenforce 0", then repeat Actual results: In enforcing mode, it fails to start completely (see attached error message). In permissive mode, a lot of AVC alerts are logged (see attached ausearch and audit2allow output). Expected results: No error messages, system-config-services is running without generating AVC alerts. Additional info: The following allowed me to run s-c-samba in enforcing mode: [root@gibraltar ~]# semanage fcontext -a -t initrc_exec_t /usr/share/system-config-samba/system-config-samba-mechanism.py [root@gibraltar ~]# restorecon -v -R /usr/share/system-config-samba/ restorecon reset /usr/share/system-config-samba/system-config-samba-mechanism.py context system_u:object_r:usr_t:s0->system_u:object_r:initrc_exec_t:s0
You changes system-config-samba-mechanism? Fixed in selinux-policy-3.5.12-1.fc10
(In reply to comment #1) > You changes system-config-samba-mechanism? I just added it and didn't get around to notifying you about it -- we added system-config-services-mechanism.py to the policy earlier.
Well then this is really not the same. system-config-services is used to stop and start services so it needs to run initrc_t. But we really need a new policy to define what system-config-samba is allowed to do and then transition dbus to samba_config_t. Do you have a quick explanation what this tool does? What files/directories does it edit? Does it execute any samba apps? Does it restart the samba service?
(In reply to comment #3) > Well then this is really not the same. > > system-config-services is used to stop and start services so it needs to run > initrc_t. But we really need a new policy to define what system-config-samba > is allowed to do and then transition dbus to samba_config_t. OK > Do you have a quick explanation what this tool does? What files/directories > does it edit? It directly edits /etc/samba/smb.conf and .../smbusers (well, saves into $file.new, then renames - let me know if this is a problem). > Does it execute any samba apps? It uses /usr/sbin/pdbedit and /usr/bin/smbpasswd to manipulate Samba users and passwords and /usr/bin/testparm to determine valid Samba configuration file options. > Does it restart the samba service? Yes, it uses /sbin/chkconfig and /sbin/service on the nmb and smb services. Unfortunately I haven't gotten around to changing s-c-samba so it would use the s-c-services dbus backend for this, so that'll have to wait for F11.
*** Bug 469550 has been marked as a duplicate of this bug. ***
*** Bug 469552 has been marked as a duplicate of this bug. ***
*** Bug 469721 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-3.5.13-14.fc10