550436 – SELinux is preventing /usr/sbin/smbd "connectto" access on /var/run/winbindd/pipe.

Bug 550436 - SELinux is preventing /usr/sbin/smbd "connectto" access on /var/run/winbindd/pipe.

Summary: SELinux is preventing /usr/sbin/smbd "connectto" access on /var/run/winbindd/...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:1870c87791b...
Duplicates (2):	550919 550920 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-12-25 08:06 UTC by snerq
Modified:	2010-01-08 20:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	3.6.32-66.fc12
Doc Type:	Bug Fix
Doc Text:	SWAT is starting Winbind as well as I am running this machine as my WINS server. This machine is able to be seen from all Windows Machines and use the printer that I have connected to it, how ever from the server I am unable to see any computer connected to the windows workgroup. The list will only show the server, but will not let me access the server from the workgroup list. I have also updated the SELinux policy as per last bug request using the test repo.
Clone Of:
Environment:
Last Closed:	2010-01-08 20:11:10 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description snerq 2009-12-25 08:06:19 UTC

Summary:

SELinux is preventing /usr/sbin/smbd "connectto" access on
/var/run/winbindd/pipe.

Detailed Description:

SELinux denied access requested by smbd. It is not expected that this access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:system_r:swat_t:s0-s0:c0.c1023
Target Objects                /var/run/winbindd/pipe [ unix_stream_socket ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-3.4.2-47.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-59.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.6-166.fc12.i686.PAE #1 SMP
                              Wed Dec 9 11:00:30 EST 2009 i686 athlon
Alert Count                   5
First Seen                    Fri 25 Dec 2009 01:05:10 AM MST
Last Seen                     Fri 25 Dec 2009 01:05:10 AM MST
Local ID                      4b6cf851-a150-4523-b6a4-886c68c16baf
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1261728310.954:24784): avc:  denied  { connectto } for  pid=6558 comm="smbd" path="/var/run/winbindd/pipe" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:swat_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=(removed) type=SYSCALL msg=audit(1261728310.954:24784): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe6ea90 a2=330ff4 a3=8 items=0 ppid=1479 pid=6558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-59.fc12,catchall,smbd,smbd_t,swat_t,unix_stream_socket,connectto
audit2allow suggests:

#============= smbd_t ==============
allow smbd_t swat_t:unix_stream_socket connectto;

Comment 1 Daniel Walsh 2009-12-27 13:25:14 UTC

Is swat starting up the winbind server?

Comment 2 snerq 2009-12-28 03:32:03 UTC

SWAT is starting Winbind as well as I am running this machine as my WINS server. This machine is able to be seen from all Windows Machines and use the printer that I have connected to it, how ever from the server I am unable to see any computer connected to the windows workgroup. The list will only show the server, but will not let me access the server from the workgroup list. Is there anything that I am doing that is creating these errors?

Comment 3 snerq 2009-12-28 03:33:03 UTC

Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
SWAT is starting Winbind as well as I am running this machine as my WINS
server. This machine is able to be seen from all Windows Machines and use the
printer that I have connected to it, how ever from the server I am unable to
see any computer connected to the windows workgroup. The list will only show
the server, but will not let me access the server from the workgroup list

Comment 4 snerq 2009-12-28 03:35:57 UTC

Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -2,4 +2,4 @@
 server. This machine is able to be seen from all Windows Machines and use the
 printer that I have connected to it, how ever from the server I am unable to
 see any computer connected to the windows workgroup. The list will only show
-the server, but will not let me access the server from the workgroup list+the server, but will not let me access the server from the workgroup list. I have also updated the SELinux policy as per last bug request using the test repo.

Comment 5 Daniel Walsh 2009-12-30 00:08:03 UTC

Adding transition rule

Fixed in selinux-policy-3.6.32-65.fc12.noarch

domtrans_pattern(swat_t, winbind_exec_t, winbind_t)

Comment 6 Daniel Walsh 2009-12-30 00:08:35 UTC

*** Bug 550919 has been marked as a duplicate of this bug. ***

Comment 7 Daniel Walsh 2009-12-30 00:08:57 UTC

*** Bug 550920 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2010-01-04 21:54:41 UTC

selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12

Comment 9 Fedora Update System 2010-01-05 22:50:45 UTC

selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184

Comment 10 Fedora Update System 2010-01-08 20:05:32 UTC

selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.