Bug 841885 - SELinux is preventing winbind from writing to nmb /var/run file
SELinux is preventing winbind from writing to nmb /var/run file
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-07-20 09:41 EDT by Michael Cronenworth
Modified: 2012-08-27 18:57 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-08-27 18:57:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michael Cronenworth 2012-07-20 09:41:09 EDT
Description of problem:
$ sudo sealert -l 95ccd54f-1262-4147-a662-b97e4c43c94d
SELinux is preventing /usr/sbin/winbindd from write access on the sock_file unexpected.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that winbindd should be allowed write access on the unexpected sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:object_r:nmbd_var_run_t:s0
Target Objects                unexpected [ sock_file ]
Source                        winbindd
Source Path                   /usr/sbin/winbindd
Port                          <Unknown>
Host                          miracle.foo.com
Source RPM Packages           samba-winbind-3.6.6-88.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-89.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     miracle.foo.com
Platform                      Linux miracle.foo.com 3.4.2-1.fc16.x86_64 #1 SMP
                              Thu Jun 14 20:17:26 UTC 2012 x86_64 x86_64
Alert Count                   185
First Seen                    Thu 19 Jul 2012 05:20:07 PM CDT
Last Seen                     Fri 20 Jul 2012 08:31:15 AM CDT
Local ID                      95ccd54f-1262-4147-a662-b97e4c43c94d

Raw Audit Messages
type=AVC msg=audit(1342791075.761:2704): avc:  denied  { write } for  pid=20442 comm="winbindd" name="unexpected" dev="tmpfs" ino=23991 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:nmbd_var_run_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1342791075.761:2704): arch=x86_64 syscall=connect success=no exit=EACCES a0=20 a1=7f8c3a32b7a8 a2=6e a3=2f64626d6e2f6e75 items=0 ppid=2080 pid=20442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=winbindd exe=/usr/sbin/winbindd subj=system_u:system_r:winbind_t:s0 key=(null)

Hash: winbindd,winbind_t,nmbd_var_run_t,sock_file,write


#============= winbind_t ==============
allow winbind_t nmbd_var_run_t:sock_file write;

audit2allow -R

#============= winbind_t ==============
allow winbind_t nmbd_var_run_t:sock_file write;

Version-Release number of selected component (if applicable):

How reproducible:
I do not know the operation that winbind is attempting but it occurs every couple of minutes according to the syslog denial message time stamps.

Actual results:
Syslog denial message, but no known problem stems from this. Domain access seems to be functioning.

Expected results:
No syslog message.

Additional info:
ll -Z /var/run/nmbd*
-rw-r--r--. root root system_u:object_r:nmbd_var_run_t:s0 /var/run/nmbd.pid

srwxrwxrwx. root root system_u:object_r:nmbd_var_run_t:s0 unexpected
$ ll -Zd /var/run/nmbd
drwxr-xr-x. root root system_u:object_r:nmbd_var_run_t:s0 /var/run/nmbd

This box was moved yesterday from being a domain controller to a domain member and winbind was first installed at that time.
Comment 1 Miroslav Grepl 2012-07-23 01:12:05 EDT
Fixed in selinux-policy-3.10.0-91.fc16
Comment 2 Fedora Update System 2012-08-01 09:40:13 EDT
selinux-policy-3.10.0-91.fc16 has been submitted as an update for Fedora 16.
Comment 3 Fedora Update System 2012-08-02 07:19:55 EDT
Package selinux-policy-3.10.0-91.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-91.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-08-27 18:57:46 EDT
selinux-policy-3.10.0-91.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.