Bug 662677 - programs resolving a NetBIOS name can't access /var/cache/samba/unexpected.tdb
programs resolving a NetBIOS name can't access /var/cache/samba/unexpected.tdb
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.6
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 640580
  Show dependency treegraph
 
Reported: 2010-12-13 10:35 EST by Ales Zelinka
Modified: 2011-07-21 07:50 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-301.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:21:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ales Zelinka 2010-12-13 10:35:02 EST
Description of problem: When samba's WINS server is integrated to NSS then programs resolving a NetBIOS name try to access /var/cache/samba/unexpected.tdb and selinux denies it:

time->Sun Dec 12 20:16:16 2010
type=SYSCALL msg=audit(1292202976.590:472): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab279b0 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1292202976.590:472): avc:  denied  { read } for  pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file
----
time->Sun Dec 12 20:16:16 2010
type=SYSCALL msg=audit(1292202976.680:473): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab28e10 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1292202976.680:473): avc:  denied  { read } for  pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file
----
time->Sun Dec 12 20:16:16 2010
type=SYSCALL msg=audit(1292202976.770:474): arch=80000016 syscall=5 success=no exit=-13 a0=200002fe6d0 a1=0 a2=0 a3=2aaaab28e10 items=0 ppid=2585 pid=3014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)
type=AVC msg=audit(1292202976.770:474): avc:  denied  { read } for  pid=3014 comm="ping" name="unexpected.tdb" dev=dm-0 ino=3933594 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file
Fail: AVC messages found.


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-299.el5

How reproducible:
always

Steps to Reproduce:
1. setup & start wins server
2. integrate wins server to NSS via nsswitch.conf
3. ping NetBIOS name
  
Actual results:
AVC (the name resolution succeeds)

Expected results:
no AVC
Comment 1 Daniel Walsh 2010-12-13 10:44:44 EST
RHEL6 has


	optional_policy(`
		samba_stream_connect_winbind($1)
		samba_read_var_files($1)
		samba_dontaudit_write_var_files($1)
	')

In auth_use_nsswitch
Comment 2 RHEL Product and Program Management 2011-01-11 15:23:51 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 3 RHEL Product and Program Management 2011-01-12 10:09:09 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 5 Miroslav Grepl 2011-03-01 12:12:10 EST
Fixed in selinux-policy-2.4.6-301.el5
Comment 8 errata-xmlrpc 2011-07-21 05:21:26 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 9 errata-xmlrpc 2011-07-21 07:50:02 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.