Bug 859010 - Allow winbind to access ldapi socket of 389ds
Allow winbind to access ldapi socket of 389ds
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-20 07:01 EDT by Sumit Bose
Modified: 2012-09-27 12:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-27 12:56:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sumit Bose 2012-09-20 07:01:19 EDT
Description of problem:
Like the samba daemon smbd the winbindd daemon must access the LDAPI socket of the local 389ds instance if samba is configured with an LDAP backend.

Currently messages like 

type=AVC msg=audit(1348145647.357:3014): avc:  denied  { write } for  pid=29351 comm="winbindd" name="slapd-ENGLAB-QE.socket" dev="tmpfs" ino=128206 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file

can be found in the audit.log. Winbind should have the same permissions with respect to the ldapi socket as the smbd.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-162.el6
Comment 2 Milos Malik 2012-09-21 02:29:42 EDT
This kind of access is allowed in selinux-policy-3.7.19-162.el6:

# rpm -qa selinux-policy\*
selinux-policy-targeted-3.7.19-162.el6.noarch
selinux-policy-minimum-3.7.19-162.el6.noarch
selinux-policy-mls-3.7.19-162.el6.noarch
selinux-policy-doc-3.7.19-162.el6.noarch
selinux-policy-3.7.19-162.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# sesearch -s winbind_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 1 semantic av rules:
   allow winbind_t dirsrv_var_run_t : sock_file { write getattr append open } ; 

#
Comment 3 Miroslav Grepl 2012-09-21 05:41:07 EDT
Sumit,
could you execute

# grep dirsrv_var_run_t /var/log/audit/audit.log |audit2why

# rpm -qa selinux-policy\*
Comment 4 Sumit Bose 2012-09-21 10:38:58 EDT
Sorry, I just got confused by the different behavior in Fedora and RHEL and reported against the wrong platform. As Milos said in RHEL there is:

RHEL6# sesearch -s winbind_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 1 semantic av rules:
   allow winbind_t dirsrv_var_run_t : sock_file { write getattr append open } ; 

RHEL6# sesearch -s smbd_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 2 semantic av rules:
   allow smbd_t dirsrv_var_run_t : sock_file { write getattr append open } ; 
DT allow smbd_t dirsrv_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ samba_export_all_rw ]

So by default smbd and winbind are allowed to access the socket.

I Fedora17 I see:

F17# sesearch -s winbind_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 1 semantic av rules:
ET allow nsswitch_domain dirsrv_var_run_t : sock_file { write getattr append open } ; [ authlogin_nsswitch_use_ldap ]

F17# sesearch -s smbd_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 2 semantic av rules:
   allow smbd_t dirsrv_var_run_t : sock_file { write getattr append open } ; 
ET allow nsswitch_domain dirsrv_var_run_t : sock_file { write getattr append open } ; [ authlogin_nsswitch_use_ldap ]


So smbd is allowed by default, but winbind only if authlogin_nsswitch_use_ldap is set. Is there a reason for this difference? If not I will clone this bug for Fedora.
Comment 5 Miroslav Grepl 2012-09-27 12:56:03 EDT
Fixed in Fedora.

Note You need to log in before you can comment on or make changes to this bug.