Bug 679555 - SELinux is preventing /usr/sbin/winbindd from 'read' accesses on the file unix.
Summary: SELinux is preventing /usr/sbin/winbindd from 'read' accesses on the file unix.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:76286e61cb1...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-22 20:44 UTC by antonio montagnani
Modified: 2011-03-22 18:52 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.9.7-37.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-22 18:52:10 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description antonio montagnani 2011-02-22 20:44:15 UTC 
SELinux is preventing /usr/sbin/winbindd from 'read' accesses on the file unix.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that winbindd should be allowed read access on the unix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                unix [ file ]
Source                        winbindd
Source Path                   /usr/sbin/winbindd
Port                          <Sconosciuto>
Host                          (removed)
Source RPM Packages           samba-winbind-3.5.6-71.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon
                              Feb 7 06:57:55 UTC 2011 i686 i686
Alert Count                   1
First Seen                    mar 22 feb 2011 21:39:08 CET
Last Seen                     mar 22 feb 2011 21:39:08 CET
Local ID                      ee600073-61a2-4804-a4bd-7c1f09ff42c5

Raw Audit Messages
type=AVC msg=audit(1298407148.436:12): avc:  denied  { read } for  pid=1507 comm="winbindd" name="unix" dev=proc ino=4026531991 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


type=SYSCALL msg=audit(1298407148.436:12): arch=i386 syscall=access success=no exit=EACCES a0=bfb06bcf a1=4 a2=454ff4 a3=ffffffac items=0 ppid=1506 pid=1507 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=winbindd exe=/usr/sbin/winbindd subj=system_u:system_r:winbind_t:s0 key=(null)

Hash: winbindd,winbind_t,proc_net_t,file,read

audit2allow

#============= winbind_t ==============
allow winbind_t proc_net_t:file read;

audit2allow -R

#============= winbind_t ==============
allow winbind_t proc_net_t:file read;
Comment 1 Miroslav Grepl 2011-02-23 08:23:28 UTC 
You can allow it for now using

# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 2 Miroslav Grepl 2011-02-25 11:37:12 UTC 
Fixed in selinux-policy-3.9.7-32.fc14
Comment 3 Fedora Update System 2011-03-18 15:07:08 UTC 
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14
Comment 4 Fedora Update System 2011-03-21 08:45:08 UTC 
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14
Comment 5 Fedora Update System 2011-03-22 18:50:43 UTC 
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.