Bug 800237 - SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the None .
SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the None .
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:096d34ffdf376680d2550be73f1...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-06 00:02 EST by s.pierce.davis
Modified: 2012-03-06 13:37 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-06 01:54:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description s.pierce.davis 2012-03-06 00:02:35 EST
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.7-1.fc16.i686
reason:         SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the None .
time:           Mon 05 Mar 2012 09:00:14 PM PST

description:
:SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the None .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that smbd should be allowed name_connect access on the  <Unknown> by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:smbd_t:s0
:Target Context                system_u:object_r:ldap_port_t:s0
:Target Objects                 [ None ]
:Source                        smbd
:Source Path                   /usr/sbin/smbd
:Port                          389
:Host                          (removed)
:Source RPM Packages           samba-3.6.3-78.fc16.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.7-1.fc16.i686 #1 SMP Tue Feb 21
:                              01:38:57 UTC 2012 i686 i686
:Alert Count                   876
:First Seen                    Wed 22 Feb 2012 06:29:40 PM PST
:Last Seen                     Mon 05 Mar 2012 09:00:11 PM PST
:Local ID                      fbc76027-8895-482e-904d-573457efd75d
:
:Raw Audit Messages
:type=AVC msg=audit(1331010011.114:533): avc:  denied  { name_connect } for  pid=1052 comm="smbd" dest=389 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socketnode=(removed) type=SYSCALL msg=audit(1331010011.114:533): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf9be1f0 a2=199ff4 a3=21710c68 items=0 ppid=1 pid=1052 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
:
:
:Hash: smbd,smbd_t,ldap_port_t,None,name_connect
:
:audit2allow
:
:
:audit2allow -R
:
:
Comment 1 Miroslav Grepl 2012-03-06 01:54:39 EST
SELinux is preventing smbd from name_connect access on the tcp_socket .

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow users to login using a sssd server
Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap'boolean.
Do
setsebool -P authlogin_nsswitch_use_ldap 1

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'allow_ypbind'boolean.
Do
setsebool -P allow_ypbind 1
Comment 2 Daniel Walsh 2012-03-06 13:37:43 EST
s.pierce.davis are you using ldap for a backend service for user passwd data?  Or is smbd using this in some other way?

Note You need to log in before you can comment on or make changes to this bug.