Hide Forgot
+++ This bug was initially created as a clone of Bug #719738 +++ I found another command that doesn't work when selinux is enabled with clustering on in samba. smbcontrol needs access to ctdb.socket. type=AVC msg=audit(1317220776.455:50562): avc: denied { write } for pid=11780 comm="smbcontrol" name="ctdb.socket" dev=dm-0 ino=1831426 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file --- Additional comment from dwalsh on 2011-09-28 11:33:42 EDT --- That is a different bug. Miroslav lets add optional_policy(` ctdbd_stream_connect(smbcontrol_t) ') I think the rest of the bug reported here is fixed in the latest RHEL6 policy?
Looking through audit.log shows that winbindd probably needs the same policy change. type=AVC msg=audit(1317076246.144:48811): avc: denied { write } for pid=5425 comm="winbindd" name="ctdb.socket" dev=dm-0 ino=1831426 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file
Do you know if these actual programs need to talk to this socket? Or could this be a leak? Can you attach the full output of ausearch -m avc
Created attachment 525391 [details] ausearch output from dash-01 Yeah, I'm pretty sure they do. I was trying to reload the samba config with smbcontrol and CTDB also manages winbindd when asked to.
Ok, I will add it. For other AVC msgs, AFAIK we discussed it in https://bugzilla.redhat.com/show_bug.cgi?id=719738 and you need to run all needed steps in this bug and also please test it with the latest policy. Thanks.
Both nmbd and winbindd need a change in policy: # ausearch -m avc -m user_avc -ts today -i ---- type=PATH msg=audit(09/29/2011 10:04:31.134:152) : item=0 name=(null) inode=18340 dev=fd:00 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ctdbd_tmp_t:s0 type=SOCKADDR msg=audit(09/29/2011 10:04:31.134:152) : saddr=local /tmp/ctdb.socket type=SOCKETCALL msg=audit(09/29/2011 10:04:31.134:152) : nargs=3 a0=7 a1=bfd1a98e a2=6e type=SYSCALL msg=audit(09/29/2011 10:04:31.134:152) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd1a900 a2=c64ff4 a3=16cdd68 items=1 ppid=14549 pid=14550 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=winbindd exe=/usr/sbin/winbindd subj=unconfined_u:system_r:winbind_t:s0 key=(null) type=AVC msg=audit(09/29/2011 10:04:31.134:152) : avc: denied { write } for pid=14550 comm=winbindd name=ctdb.socket dev=dm-0 ino=18340 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file ---- type=PATH msg=audit(09/29/2011 10:05:56.610:153) : item=0 name=(null) inode=18340 dev=fd:00 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ctdbd_tmp_t:s0 type=SOCKADDR msg=audit(09/29/2011 10:05:56.610:153) : saddr=local /tmp/ctdb.socket type=SOCKETCALL msg=audit(09/29/2011 10:05:56.610:153) : nargs=3 a0=7 a1=bfd4777e a2=6e type=SYSCALL msg=audit(09/29/2011 10:05:56.610:153) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd476f0 a2=100cff4 a3=196cd80 items=1 ppid=14913 pid=14914 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=nmbd exe=/usr/sbin/nmbd subj=unconfined_u:system_r:nmbd_t:s0 key=(null) type=AVC msg=audit(09/29/2011 10:05:56.610:153) : avc: denied { write } for pid=14914 comm=nmbd name=ctdb.socket dev=dm-0 ino=18340 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file #
Make sense
Created attachment 525494 [details] AVCs seen when running the automated test in permissive mode
I am fixing them.
Fixed in selinux-policy-3.7.19-114.el6
Ok, I found a typo in the samba policy file.
Fixed in selinux-policy-3.7.19-116.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html