libreport version: 2.0.10 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.1-3.fc17.x86_64 time: 2012-04-10T08:48:41 CEST description: :SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the tcp_socket . : :***** Plugin catchall_boolean (47.5 confidence) suggests ******************* : :If you want to allow users to login using a sssd server :Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap'boolean. :Do :setsebool -P authlogin_nsswitch_use_ldap 1 : :***** Plugin catchall_boolean (47.5 confidence) suggests ******************* : :If you want to allow system to run with NIS :Then you must tell SELinux about this by enabling the 'allow_ypbind'boolean. :Do :setsebool -P allow_ypbind 1 : :***** Plugin catchall (6.38 confidence) suggests *************************** : :If you believe that smbd should be allowed name_connect access on the tcp_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep smbd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:smbd_t:s0 :Target Context system_u:object_r:ldap_port_t:s0 :Target Objects [ tcp_socket ] :Source smbd :Source Path /usr/sbin/smbd :Port 389 :Host (removed) :Source RPM Packages samba-3.6.3-81.fc17.1.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-110.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.3.1-3.fc17.x86_64 #1 SMP Wed Apr 4 18:13:49 UTC : 2012 x86_64 x86_64 :Alert Count 1 :First Seen 2012-04-10T08:48:21 CEST :Last Seen 2012-04-10T08:48:21 CEST :Local ID 5c428952-593b-4d58-b5b8-3e10cf12c0df : :Raw Audit Messages :type=AVC msg=audit(1334040501.648:174): avc: denied { name_connect } for pid=10606 comm="smbd" dest=389 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1334040501.648:174): arch=x86_64 syscall=connect success=no exit=EACCES a0=16 a1=7f49c5fbffa0 a2=10 a3=7fffdf1e12e0 items=0 ppid=1 pid=10606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) : :Hash: smbd,smbd_t,ldap_port_t,tcp_socket,name_connect : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Basically the sealert tells you what to do. Why do you think this is a bug?
First of all none of those options represent "what I want to do". I was trying to create a file share using smdb, not "login using a sssd server" or "allow system to run with NIS". But that's really not the point. The point is: When people install a samba server (something which I'm working on making work "out of the box" on RHEL), SELinux shouldn't require them to enter a command to unbreak their system. Is there a way we can make this work by default? So that the smbd process has the SELinux permissions it needs to do what it's supposed to do. Obviously if I'm completely missing the point, then let me know. But if this message comes up by default when a system administrator installs samba, then the SELinux policy is broken :S
This avc shows smbd attempting to connect to an ldap port. Does the default samba configuration require that samba use ldap?
We want apps to use sssd if they are using ldap for user management. If they use pam_ldap then we need to turn this on.
This doesn't have to do with pam_ldap. I joined an Active Directory domain. In RHEL 7, a big goal is to have RHEL + Active Directory work out of the box by default. I'm working on this now. Having samba work with Active Directory out of the box by default is a goal. Active Directory is kerberos and ldap based so I would assume smbd needs to connect to those services. Do you need me to research on what exactly samba is connecting to?
Nope an explanation like this allows us to write better policy.
Now we allow smbd_t and winbind_t, smbmount_t to connect to ldap, but we do not allow nmbd_t, samba_net_t, smbcontrol_t, swat_t Should all of these be allowed?
samba_net_t for sure, I think we can try to leave the other ones off for now.
Ok, I added it also for samba_net_t.
selinux-policy-3.10.0-114.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-114.fc17
Package selinux-policy-3.10.0-114.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-114.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-5870/selinux-policy-3.10.0-114.fc17 then log in and leave karma (feedback).
Thanks guys.
selinux-policy-3.10.0-114.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.