Bug 466481 - dbus/policykit enabled system-config-samba doesn't work with SELinux/targeted enforcing
dbus/policykit enabled system-config-samba doesn't work with SELinux/targeted...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
: 469550 469552 469721 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-10 10:10 EDT by Nils Philippsen
Modified: 2008-11-04 11:35 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-04 11:35:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nils Philippsen 2008-10-10 10:10:16 EDT
Description of problem:
System-config-samba for F10 is made to use of PolicyKit to separate UI from code that needs privileges. If started with SELinux/targeted enforcing, the system dbus-daemon fails to start the associated privileged dbus service/mechanism (/usr/share/system-config-samba/system-config-samba-mechanism.py). If started in permissive mode, there are a lot more AVC alerts related to how the mechanism monitors the services, starts/stops/enables/disables them.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.10-3.fc10.noarch
system-config-samba-1.2.64-1.fc10.noarch

How reproducible:
Reproducible.

Steps to Reproduce:
1. "setenforce 1"
2. Start "system-config-services" from the command line
3. "setenforce 0", then repeat
  
Actual results:
In enforcing mode, it fails to start completely (see attached error message). In permissive mode, a lot of AVC alerts are logged (see attached ausearch and audit2allow output).

Expected results:
No error messages, system-config-services is running without generating AVC alerts.

Additional info:
The following allowed me to run s-c-samba in enforcing mode:

[root@gibraltar ~]# semanage fcontext -a -t initrc_exec_t /usr/share/system-config-samba/system-config-samba-mechanism.py
[root@gibraltar ~]# restorecon -v -R /usr/share/system-config-samba/
restorecon reset /usr/share/system-config-samba/system-config-samba-mechanism.py context system_u:object_r:usr_t:s0->system_u:object_r:initrc_exec_t:s0
Comment 1 Daniel Walsh 2008-10-15 14:40:04 EDT
You changes system-config-samba-mechanism?

Fixed in selinux-policy-3.5.12-1.fc10
Comment 2 Nils Philippsen 2008-10-16 06:40:18 EDT
(In reply to comment #1)
> You changes system-config-samba-mechanism?

I just added it and didn't get around to notifying you about it -- we added system-config-services-mechanism.py to the policy earlier.
Comment 3 Daniel Walsh 2008-10-16 15:06:23 EDT
Well then this is really not the same.

system-config-services is used to stop and start services so it needs to run initrc_t.  But we really need a new policy to define what system-config-samba is allowed to do and then transition dbus to samba_config_t.

Do you have a quick explanation what this tool does?  What files/directories does it edit?  Does it execute any samba apps?  Does it restart the samba service?
Comment 4 Nils Philippsen 2008-10-17 04:50:23 EDT
(In reply to comment #3)
> Well then this is really not the same.
> 
> system-config-services is used to stop and start services so it needs to run
> initrc_t.  But we really need a new policy to define what system-config-samba
> is allowed to do and then transition dbus to samba_config_t.

OK

> Do you have a quick explanation what this tool does?  What files/directories
> does it edit?

It directly edits /etc/samba/smb.conf and .../smbusers (well, saves into $file.new, then renames - let me know if this is a problem).

> Does it execute any samba apps?

It uses /usr/sbin/pdbedit and /usr/bin/smbpasswd to manipulate Samba users and passwords and /usr/bin/testparm to determine valid Samba configuration file options.

> Does it restart the samba service?

Yes, it uses /sbin/chkconfig and /sbin/service on the nmb and smb services. Unfortunately I haven't gotten around to changing s-c-samba so it would use the s-c-services dbus backend for this, so that'll have to wait for F11.
Comment 5 Nils Philippsen 2008-11-03 09:40:40 EST
*** Bug 469550 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2008-11-03 14:38:05 EST
*** Bug 469552 has been marked as a duplicate of this bug. ***
Comment 7 Nils Philippsen 2008-11-04 05:10:38 EST
*** Bug 469721 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2008-11-04 11:35:39 EST
Fixed in selinux-policy-3.5.13-14.fc10

Note You need to log in before you can comment on or make changes to this bug.