828619 – SELinux is preventing /usr/sbin/winbindd from 'write' accesses on the directory samba.

Bug 828619 - SELinux is preventing /usr/sbin/winbindd from 'write' accesses on the directory samba.

Summary: SELinux is preventing /usr/sbin/winbindd from 'write' accesses on the directo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:81950798bf69a573cf2efb94bf2...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-06-05 02:51 UTC by Robert Foster
Modified:	2012-06-17 00:02 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-17 00:02:18 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robert Foster 2012-06-05 02:51:28 UTC

libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.7-1.fc17.x86_64
time:           Tue 05 Jun 2012 12:47:12 PM EST

description:
:SELinux is preventing /usr/sbin/winbindd from 'write' accesses on the directory samba.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that winbindd should be allowed write access on the samba directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:winbind_t:s0
:Target Context                system_u:object_r:smbd_var_run_t:s0
:Target Objects                samba [ dir ]
:Source                        winbindd
:Source Path                   /usr/sbin/winbindd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           samba4-winbind-4.0.0-47alpha18.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC
:                              2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Tue 05 Jun 2012 10:40:33 PM EST
:Last Seen                     Tue 05 Jun 2012 10:40:33 PM EST
:Local ID                      b4fb1a60-24a5-443b-85fc-6e7102604a0f
:
:Raw Audit Messages
:type=AVC msg=audit(1338900033.935:35): avc:  denied  { write } for  pid=806 comm="winbindd" name="samba" dev="tmpfs" ino=11212 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1338900033.935:35): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7f198b5d49b7 a1=1ed a2=ffffffffffffff60 a3=7fff7c914890 items=0 ppid=1 pid=806 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=winbindd exe=/usr/sbin/winbindd subj=system_u:system_r:winbind_t:s0 key=(null)
:
:Hash: winbindd,winbind_t,smbd_var_run_t,dir,write
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

Comment 1 Canyon Bliss 2012-06-06 20:45:52 UTC

I'm seeing this as well.

Comment 2 Daniel Walsh 2012-06-07 15:44:18 UTC

Simo did winbind move its windbind directory into /var/run/samba?

Comment 3 Daniel Walsh 2012-06-07 15:49:29 UTC

Any ways I am adding rules to allow windbind to create its content in a directory labels smbd_var_run_t.

Fixed in selinux-policy-3.10.0-129.fc17

Comment 4 Alexander Bokovoy 2012-06-07 17:09:18 UTC

That's right. There is Samba ccache in /var/run/samba now and Windbindd shares it with smbd.

Comment 5 Daniel Walsh 2012-06-07 18:58:59 UTC

Is this a file?

Comment 6 Alexander Bokovoy 2012-06-07 19:10:50 UTC

There are actually several things.

This report is about samba4 4.0.0alpha18. Since build 48 we moved samba's piddir to /run/samba. As this information is shared across all daemons in samba suite, winbindd uses it as well.

Below is the list of directories, they are used by smbd, nmbd, and winbindd.
$ strings /usr/lib64/libsamba-util.so|grep run
/run
/run/samba/ncalrpc
/run/samba/nmbd
/run/samba/winbindd
/run/samba/ntp_signd

We don't use ntp_signd in our build of samba4, this is for AD DC functionality. /run/samba/ncalrpc is used by smbd in end point mapper mode, as discussed before.

So /run/samba/winbindd is the directory winbindd tries to create in the report above.

In addition to that, since 4.0.0beta1 we are putting samba suite's kerberos ccache to /run/samba/krb5cc_samba. This is reused by smbd and winbindd, thus they both will need to have access there.

Comment 7 Daniel Walsh 2012-06-07 19:20:16 UTC

Can all of them create it or just smbd and windbind and nmbd read it?

Comment 8 Alexander Bokovoy 2012-06-07 19:23:10 UTC

all smbd, nmbd, and winbindd will try to create their own directories if they are missing. The same code is used for that logic.

Comment 9 Daniel Walsh 2012-06-07 21:10:22 UTC

That I am allowing, but I was question who creates /run/samba/krb5cc_samba and who needs to read it.

Comment 10 Alexander Bokovoy 2012-06-08 04:41:38 UTC

/run/samba/krb5cc_samba is created by smbd and winbindd when they use Kerberos ccache-related operations as this is their default ccache (enforced through systemd units configuration). nmbd does not use it.

Comment 11 Daniel Walsh 2012-06-08 10:46:51 UTC

Ok I believe all of the fixes are in.

Fixed in selinux-policy-3.10.0-129.fc17

Comment 12 Sumit Bose 2012-06-11 10:03:52 UTC

Thank you. winbind is working well in my tests with selinux-policy-3.10.0-129.fc17 and SELinux in enforcing mode.

Comment 13 Fedora Update System 2012-06-11 20:59:43 UTC

selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17

Comment 14 Fedora Update System 2012-06-15 23:57:22 UTC

Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2012-06-17 00:02:18 UTC

selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.