Bug 811103 - SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the tcp_socket . Installed 'samba' package from redhat packages, and started via: # systemctl enable smb.service # systemctl start smb.service
Summary: SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the tcp_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:bd367607d709e62d81ce2156ed5...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-10 06:49 UTC by Stef Walter
Modified: 2012-04-18 22:50 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.10.0-114.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-18 22:50:54 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Stef Walter 2012-04-10 06:49:28 UTC
libreport version: 2.0.10
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.1-3.fc17.x86_64
time:           2012-04-10T08:48:41 CEST

description:
:SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the tcp_socket .
:
:*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************
:
:If you want to allow users to login using a sssd server
:Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap'boolean.
:Do
:setsebool -P authlogin_nsswitch_use_ldap 1
:
:*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************
:
:If you want to allow system to run with NIS
:Then you must tell SELinux about this by enabling the 'allow_ypbind'boolean.
:Do
:setsebool -P allow_ypbind 1
:
:*****  Plugin catchall (6.38 confidence) suggests  ***************************
:
:If you believe that smbd should be allowed name_connect access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:smbd_t:s0
:Target Context                system_u:object_r:ldap_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        smbd
:Source Path                   /usr/sbin/smbd
:Port                          389
:Host                          (removed)
:Source RPM Packages           samba-3.6.3-81.fc17.1.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.3.1-3.fc17.x86_64 #1 SMP Wed Apr 4 18:13:49 UTC
:                              2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-04-10T08:48:21 CEST
:Last Seen                     2012-04-10T08:48:21 CEST
:Local ID                      5c428952-593b-4d58-b5b8-3e10cf12c0df
:
:Raw Audit Messages
:type=AVC msg=audit(1334040501.648:174): avc:  denied  { name_connect } for  pid=10606 comm="smbd" dest=389 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1334040501.648:174): arch=x86_64 syscall=connect success=no exit=EACCES a0=16 a1=7f49c5fbffa0 a2=10 a3=7fffdf1e12e0 items=0 ppid=1 pid=10606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
:
:Hash: smbd,smbd_t,ldap_port_t,tcp_socket,name_connect
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

Comment 1 Miroslav Grepl 2012-04-10 08:02:18 UTC
Basically the sealert tells you what to do. Why do you think this is a bug?

Comment 2 Stef Walter 2012-04-10 08:12:26 UTC
First of all none of those options represent "what I want to do". I was trying to create a file share using smdb, not "login using a sssd server" or "allow system to run with NIS". 

But that's really not the point. The point is:

When people install a samba server (something which I'm working on making work "out of the box" on RHEL), SELinux shouldn't require them to enter a command to unbreak their system.

Is there a way we can make this work by default? So that the smbd process has the SELinux permissions it needs to do what it's supposed to do.

Obviously if I'm completely missing the point, then let me know. But if this message comes up by default when a system administrator installs samba, then the SELinux policy is broken :S

Comment 3 Daniel Walsh 2012-04-10 19:05:05 UTC
This avc shows smbd attempting to connect to an ldap port.  Does the default samba configuration require that samba use ldap?

Comment 4 Daniel Walsh 2012-04-10 19:05:57 UTC
We want apps to use sssd if they are using ldap for user management.  If they use pam_ldap then we need to turn this on.

Comment 5 Stef Walter 2012-04-10 19:16:14 UTC
This doesn't have to do with pam_ldap.

I joined an Active Directory domain. In RHEL 7, a big goal is to have RHEL + Active Directory work out of the box by default. I'm working on this now. Having samba work with Active Directory out of the box by default is a goal. Active Directory is kerberos and ldap based so I would assume smbd needs to connect to those services.

Do you need me to research on what exactly samba is connecting to?

Comment 6 Daniel Walsh 2012-04-10 19:56:18 UTC
Nope an explanation like this allows us to write better policy.

Comment 7 Daniel Walsh 2012-04-10 20:00:24 UTC
Now we allow smbd_t and winbind_t, smbmount_t to connect to ldap, but we do not allow

 nmbd_t, samba_net_t, smbcontrol_t, swat_t

Should all of these be allowed?

Comment 8 Simo Sorce 2012-04-11 18:07:31 UTC
samba_net_t for sure, I think we can try to leave the other ones off for now.

Comment 9 Miroslav Grepl 2012-04-12 08:39:11 UTC
Ok, I added it also for samba_net_t.

Comment 10 Fedora Update System 2012-04-13 08:41:20 UTC
selinux-policy-3.10.0-114.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-114.fc17

Comment 11 Fedora Update System 2012-04-14 01:46:07 UTC
Package selinux-policy-3.10.0-114.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-114.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-5870/selinux-policy-3.10.0-114.fc17
then log in and leave karma (feedback).

Comment 12 Stef Walter 2012-04-16 05:33:22 UTC
Thanks guys.

Comment 13 Fedora Update System 2012-04-18 22:50:54 UTC
selinux-policy-3.10.0-114.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.