Bug 649492 - smbcontrol cannot ping samba services like smbd, nmbd, winbindd
smbcontrol cannot ping samba services like smbd, nmbd, winbindd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-03 16:05 EDT by Milos Malik
Modified: 2012-09-26 10:00 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-300.el5
Doc Type: Bug Fix
Doc Text:
With SELinux running in the enforcing mode, the smbcontrol utility was unable to ping Samba services such as smbd, nmbd, or winbindd. This error no longer occurs, and smbcontrol now works as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:51:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2010-11-03 16:05:52 EDT
Description of problem:


Version-Release number of selected component (if applicable):
samba-3.0.33-3.29.el5_5.1
samba-client-3.0.33-3.29.el5_5.1
samba-common-3.0.33-3.29.el5_5.1
selinux-policy-2.4.6-289.el5
selinux-policy-devel-2.4.6-289.el5
selinux-policy-minimum-2.4.6-289.el5
selinux-policy-mls-2.4.6-289.el5
selinux-policy-strict-2.4.6-289.el5
selinux-policy-targeted-2.4.6-289.el5

How reproducible:
always

Steps to Reproduce:
# service smb start
Starting SMB services: [  OK  ]
Starting NMB services: [  OK  ]
# service winbind start
Starting Winbind services: [  OK  ]
# smbcontrol smbd ping
No replies received
# smbcontrol nmbd ping
No replies received
# smbcontrol winbind ping
No replies received
# ausearch -m avc -ts recent
----
time->Wed Nov  3 16:00:30 2010
type=SYSCALL msg=audit(1288814430.227:85): arch=40000003 syscall=37 success=no exit=-13 a0=1e49 a1=a a2=80ba68 a3=0 items=0 ppid=7734 pid=7739 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1288814430.227:85): avc:  denied  { signal } for  pid=7739 comm="smbd" scontext=root:system_r:smbd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
time->Wed Nov  3 16:00:45 2010
type=SYSCALL msg=audit(1288814445.670:87): arch=40000003 syscall=37 success=no exit=-13 a0=1e4a a1=a a2=c2cfc8 a3=0 items=0 ppid=1 pid=7737 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1288814445.670:87): avc:  denied  { signal } for  pid=7737 comm="nmbd" scontext=root:system_r:nmbd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
time->Wed Nov  3 16:01:02 2010
type=SYSCALL msg=audit(1288814462.858:94): arch=40000003 syscall=37 success=no exit=-13 a0=1e4e a1=a a2=79d2c8 a3=0 items=0 ppid=1 pid=7750 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="winbindd" exe="/usr/sbin/winbindd" subj=root:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1288814462.858:94): avc:  denied  { signal } for  pid=7750 comm="winbindd" scontext=root:system_r:winbind_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
  
Actual results:
AVCs appeared

Expected results:
no AVCs appeared
Comment 1 Miroslav Grepl 2010-11-04 06:48:34 EDT
The problem is there is no transition from unconfined_t to smbcontrol_t domain in RHEL5.

Could you try to execute

# chcon -t smbcontrol_exec_t /usr/bin/smbcontrol

Then should work. But this change would need more testing for smbcontrol.
Comment 2 Miroslav Grepl 2010-11-08 11:04:15 EST
Fixed in selinux-policy-2.4.6-290.el5.noarch.
Comment 7 Miroslav Grepl 2010-11-10 06:56:22 EST
Fixed in selinux-policy-2.4.6-292.el5
Comment 12 Miroslav Grepl 2010-12-08 11:46:55 EST
I need to add 

term_use_console(smbcontrol_t)

to make this work.
Comment 13 Miroslav Grepl 2010-12-09 05:29:26 EST
Fixed in selinux-policy-2.4.6-300.el5.
Comment 15 Jaromir Hradilek 2011-01-05 11:25:47 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux running in the enforcing mode, the smbcontrol utility was unable to ping Samba services such as smbd, nmbd, or winbindd. This error no longer occurs, and smbcontrol now works as expected.
Comment 17 errata-xmlrpc 2011-01-13 16:51:03 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.