Bug 649492 - smbcontrol cannot ping samba services like smbd, nmbd, winbindd
Summary: smbcontrol cannot ping samba services like smbd, nmbd, winbindd
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.6
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-03 20:05 UTC by Milos Malik
Modified: 2012-09-26 14:00 UTC (History)
3 users (show)

(edit)
With SELinux running in the enforcing mode, the smbcontrol utility was unable to ping Samba services such as smbd, nmbd, or winbindd. This error no longer occurs, and smbcontrol now works as expected.
Clone Of:
(edit)
Last Closed: 2011-01-13 21:51:03 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Milos Malik 2010-11-03 20:05:52 UTC
Description of problem:


Version-Release number of selected component (if applicable):
samba-3.0.33-3.29.el5_5.1
samba-client-3.0.33-3.29.el5_5.1
samba-common-3.0.33-3.29.el5_5.1
selinux-policy-2.4.6-289.el5
selinux-policy-devel-2.4.6-289.el5
selinux-policy-minimum-2.4.6-289.el5
selinux-policy-mls-2.4.6-289.el5
selinux-policy-strict-2.4.6-289.el5
selinux-policy-targeted-2.4.6-289.el5

How reproducible:
always

Steps to Reproduce:
# service smb start
Starting SMB services: [  OK  ]
Starting NMB services: [  OK  ]
# service winbind start
Starting Winbind services: [  OK  ]
# smbcontrol smbd ping
No replies received
# smbcontrol nmbd ping
No replies received
# smbcontrol winbind ping
No replies received
# ausearch -m avc -ts recent
----
time->Wed Nov  3 16:00:30 2010
type=SYSCALL msg=audit(1288814430.227:85): arch=40000003 syscall=37 success=no exit=-13 a0=1e49 a1=a a2=80ba68 a3=0 items=0 ppid=7734 pid=7739 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1288814430.227:85): avc:  denied  { signal } for  pid=7739 comm="smbd" scontext=root:system_r:smbd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
time->Wed Nov  3 16:00:45 2010
type=SYSCALL msg=audit(1288814445.670:87): arch=40000003 syscall=37 success=no exit=-13 a0=1e4a a1=a a2=c2cfc8 a3=0 items=0 ppid=1 pid=7737 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)
type=AVC msg=audit(1288814445.670:87): avc:  denied  { signal } for  pid=7737 comm="nmbd" scontext=root:system_r:nmbd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
time->Wed Nov  3 16:01:02 2010
type=SYSCALL msg=audit(1288814462.858:94): arch=40000003 syscall=37 success=no exit=-13 a0=1e4e a1=a a2=79d2c8 a3=0 items=0 ppid=1 pid=7750 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="winbindd" exe="/usr/sbin/winbindd" subj=root:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1288814462.858:94): avc:  denied  { signal } for  pid=7750 comm="winbindd" scontext=root:system_r:winbind_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
  
Actual results:
AVCs appeared

Expected results:
no AVCs appeared

Comment 1 Miroslav Grepl 2010-11-04 10:48:34 UTC
The problem is there is no transition from unconfined_t to smbcontrol_t domain in RHEL5.

Could you try to execute

# chcon -t smbcontrol_exec_t /usr/bin/smbcontrol

Then should work. But this change would need more testing for smbcontrol.

Comment 2 Miroslav Grepl 2010-11-08 16:04:15 UTC
Fixed in selinux-policy-2.4.6-290.el5.noarch.

Comment 7 Miroslav Grepl 2010-11-10 11:56:22 UTC
Fixed in selinux-policy-2.4.6-292.el5

Comment 12 Miroslav Grepl 2010-12-08 16:46:55 UTC
I need to add 

term_use_console(smbcontrol_t)

to make this work.

Comment 13 Miroslav Grepl 2010-12-09 10:29:26 UTC
Fixed in selinux-policy-2.4.6-300.el5.

Comment 15 Jaromir Hradilek 2011-01-05 16:25:47 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux running in the enforcing mode, the smbcontrol utility was unable to ping Samba services such as smbd, nmbd, or winbindd. This error no longer occurs, and smbcontrol now works as expected.

Comment 17 errata-xmlrpc 2011-01-13 21:51:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.