Bug 487001 - selinux prevents winbind from creating its kerberos config file
selinux prevents winbind from creating its kerberos config file
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Depends On:
  Show dependency treegraph
Reported: 2009-02-23 11:42 EST by Ales Zelinka
Modified: 2009-05-18 16:36 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 509174 (view as bug list)
Last Closed: 2009-05-18 16:36:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ales Zelinka 2009-02-23 11:42:44 EST
Description of problem:
For samba to work as a member of an ADS/domain, kerberos must be properly configured. Samba's winbind daemon does this by creating its own krb5 configuration file in /var/cache/samba/smb_krb5/ directory (it creates the directory too). 

But selinux doesn't allow winbind to create the directory.

Version-Release number of selected component (if applicable):

How reproducible:
Configure an ADS, run rhts:///CoreOS/samba/Sanity/domain-join against it

Actual results:
time->Mon Feb 23 11:20:50 2009
type=PATH msg=audit(1235406050.900:503): name="/var/cache/samba/smb_krb5" flags=10  inode=5538024 dev=68:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1235406050.900:503):  cwd="/"
type=SYSCALL msg=audit(1235406050.900:503): arch=c000003e syscall=83 success=no exit=-13 a0=552ae988f0 a1=1ed a2=e814ec70 a3=53 items=1 pid=8681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="winbindd" exe="/usr/sbin/winbindd"
type=AVC msg=audit(1235406050.900:503): avc:  denied  { create } for  pid=8681 comm="winbindd" name="smb_krb5" scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=dir

Expected results:
no AVC denial
Comment 1 Miroslav Grepl 2009-03-04 11:21:02 EST
Fixed in selinux-policy-targeted-1.17.30-2.152.el4
Comment 5 errata-xmlrpc 2009-05-18 16:36:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.