Description of problem: Version-Release number of selected component (if applicable): samba-3.0.33-3.29.el5_5.1 samba-client-3.0.33-3.29.el5_5.1 samba-common-3.0.33-3.29.el5_5.1 selinux-policy-2.4.6-289.el5 selinux-policy-devel-2.4.6-289.el5 selinux-policy-minimum-2.4.6-289.el5 selinux-policy-mls-2.4.6-289.el5 selinux-policy-strict-2.4.6-289.el5 selinux-policy-targeted-2.4.6-289.el5 How reproducible: always Steps to Reproduce: # service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] # service winbind start Starting Winbind services: [ OK ] # smbcontrol smbd ping No replies received # smbcontrol nmbd ping No replies received # smbcontrol winbind ping No replies received # ausearch -m avc -ts recent ---- time->Wed Nov 3 16:00:30 2010 type=SYSCALL msg=audit(1288814430.227:85): arch=40000003 syscall=37 success=no exit=-13 a0=1e49 a1=a a2=80ba68 a3=0 items=0 ppid=7734 pid=7739 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1288814430.227:85): avc: denied { signal } for pid=7739 comm="smbd" scontext=root:system_r:smbd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process ---- time->Wed Nov 3 16:00:45 2010 type=SYSCALL msg=audit(1288814445.670:87): arch=40000003 syscall=37 success=no exit=-13 a0=1e4a a1=a a2=c2cfc8 a3=0 items=0 ppid=1 pid=7737 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null) type=AVC msg=audit(1288814445.670:87): avc: denied { signal } for pid=7737 comm="nmbd" scontext=root:system_r:nmbd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process ---- time->Wed Nov 3 16:01:02 2010 type=SYSCALL msg=audit(1288814462.858:94): arch=40000003 syscall=37 success=no exit=-13 a0=1e4e a1=a a2=79d2c8 a3=0 items=0 ppid=1 pid=7750 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="winbindd" exe="/usr/sbin/winbindd" subj=root:system_r:winbind_t:s0 key=(null) type=AVC msg=audit(1288814462.858:94): avc: denied { signal } for pid=7750 comm="winbindd" scontext=root:system_r:winbind_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process ---- Actual results: AVCs appeared Expected results: no AVCs appeared
The problem is there is no transition from unconfined_t to smbcontrol_t domain in RHEL5. Could you try to execute # chcon -t smbcontrol_exec_t /usr/bin/smbcontrol Then should work. But this change would need more testing for smbcontrol.
Fixed in selinux-policy-2.4.6-290.el5.noarch.
Fixed in selinux-policy-2.4.6-292.el5
I need to add term_use_console(smbcontrol_t) to make this work.
Fixed in selinux-policy-2.4.6-300.el5.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: With SELinux running in the enforcing mode, the smbcontrol utility was unable to ping Samba services such as smbd, nmbd, or winbindd. This error no longer occurs, and smbcontrol now works as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html