Description of problem: When samba's WINS server is integrated to NSS then programs resolving a NetBIOS name try to access /var/cache/samba/unexpected.tdb and selinux denies it: time->Sun Dec 12 20:16:16 2010 type=SYSCALL msg=audit(1292202976.590:472): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab279b0 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1292202976.590:472): avc: denied { read } for pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file ---- time->Sun Dec 12 20:16:16 2010 type=SYSCALL msg=audit(1292202976.680:473): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab28e10 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1292202976.680:473): avc: denied { read } for pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file ---- time->Sun Dec 12 20:16:16 2010 type=SYSCALL msg=audit(1292202976.770:474): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab28e10 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(1292202976.770:474): avc: denied { read } for pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file Fail: AVC messages found. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-299.el5 How reproducible: always Steps to Reproduce: 1. setup & start wins server 2. integrate wins server to NSS via nsswitch.conf 3. ping NetBIOS name Actual results: AVC (the name resolution succeeds) Expected results: no AVC
RHEL6 has optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) samba_dontaudit_write_var_files($1) ') In auth_use_nsswitch
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release.
Fixed in selinux-policy-2.4.6-301.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html