libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.7-1.fc17.x86_64 time: Tue 05 Jun 2012 12:47:12 PM EST description: :SELinux is preventing /usr/sbin/winbindd from 'write' accesses on the directory samba. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that winbindd should be allowed write access on the samba directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:winbind_t:s0 :Target Context system_u:object_r:smbd_var_run_t:s0 :Target Objects samba [ dir ] :Source winbindd :Source Path /usr/sbin/winbindd :Port <Unknown> :Host (removed) :Source RPM Packages samba4-winbind-4.0.0-47alpha18.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-128.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC : 2012 x86_64 x86_64 :Alert Count 1 :First Seen Tue 05 Jun 2012 10:40:33 PM EST :Last Seen Tue 05 Jun 2012 10:40:33 PM EST :Local ID b4fb1a60-24a5-443b-85fc-6e7102604a0f : :Raw Audit Messages :type=AVC msg=audit(1338900033.935:35): avc: denied { write } for pid=806 comm="winbindd" name="samba" dev="tmpfs" ino=11212 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1338900033.935:35): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7f198b5d49b7 a1=1ed a2=ffffffffffffff60 a3=7fff7c914890 items=0 ppid=1 pid=806 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=winbindd exe=/usr/sbin/winbindd subj=system_u:system_r:winbind_t:s0 key=(null) : :Hash: winbindd,winbind_t,smbd_var_run_t,dir,write : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
I'm seeing this as well.
Simo did winbind move its windbind directory into /var/run/samba?
Any ways I am adding rules to allow windbind to create its content in a directory labels smbd_var_run_t. Fixed in selinux-policy-3.10.0-129.fc17
That's right. There is Samba ccache in /var/run/samba now and Windbindd shares it with smbd.
Is this a file?
There are actually several things. This report is about samba4 4.0.0alpha18. Since build 48 we moved samba's piddir to /run/samba. As this information is shared across all daemons in samba suite, winbindd uses it as well. Below is the list of directories, they are used by smbd, nmbd, and winbindd. $ strings /usr/lib64/libsamba-util.so|grep run /run /run/samba/ncalrpc /run/samba/nmbd /run/samba/winbindd /run/samba/ntp_signd We don't use ntp_signd in our build of samba4, this is for AD DC functionality. /run/samba/ncalrpc is used by smbd in end point mapper mode, as discussed before. So /run/samba/winbindd is the directory winbindd tries to create in the report above. In addition to that, since 4.0.0beta1 we are putting samba suite's kerberos ccache to /run/samba/krb5cc_samba. This is reused by smbd and winbindd, thus they both will need to have access there.
Can all of them create it or just smbd and windbind and nmbd read it?
all smbd, nmbd, and winbindd will try to create their own directories if they are missing. The same code is used for that logic.
That I am allowing, but I was question who creates /run/samba/krb5cc_samba and who needs to read it.
/run/samba/krb5cc_samba is created by smbd and winbindd when they use Kerberos ccache-related operations as this is their default ccache (enforced through systemd units configuration). nmbd does not use it.
Ok I believe all of the fixes are in. Fixed in selinux-policy-3.10.0-129.fc17
Thank you. winbind is working well in my tests with selinux-policy-3.10.0-129.fc17 and SELinux in enforcing mode.
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.