859010 – Allow winbind to access ldapi socket of 389ds

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 859010 - Allow winbind to access ldapi socket of 389ds

Summary: Allow winbind to access ldapi socket of 389ds

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-20 11:01 UTC by Sumit Bose
Modified:	2012-09-27 16:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-09-27 16:56:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sumit Bose 2012-09-20 11:01:19 UTC

Description of problem:
Like the samba daemon smbd the winbindd daemon must access the LDAPI socket of the local 389ds instance if samba is configured with an LDAP backend.

Currently messages like 

type=AVC msg=audit(1348145647.357:3014): avc:  denied  { write } for  pid=29351 comm="winbindd" name="slapd-ENGLAB-QE.socket" dev="tmpfs" ino=128206 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file

can be found in the audit.log. Winbind should have the same permissions with respect to the ldapi socket as the smbd.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-162.el6

Comment 2 Milos Malik 2012-09-21 06:29:42 UTC

This kind of access is allowed in selinux-policy-3.7.19-162.el6:

# rpm -qa selinux-policy\*
selinux-policy-targeted-3.7.19-162.el6.noarch
selinux-policy-minimum-3.7.19-162.el6.noarch
selinux-policy-mls-3.7.19-162.el6.noarch
selinux-policy-doc-3.7.19-162.el6.noarch
selinux-policy-3.7.19-162.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# sesearch -s winbind_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 1 semantic av rules:
   allow winbind_t dirsrv_var_run_t : sock_file { write getattr append open } ; 

#

Comment 3 Miroslav Grepl 2012-09-21 09:41:07 UTC

Sumit,
could you execute

# grep dirsrv_var_run_t /var/log/audit/audit.log |audit2why

# rpm -qa selinux-policy\*

Comment 4 Sumit Bose 2012-09-21 14:38:58 UTC

Sorry, I just got confused by the different behavior in Fedora and RHEL and reported against the wrong platform. As Milos said in RHEL there is:

RHEL6# sesearch -s winbind_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 1 semantic av rules:
   allow winbind_t dirsrv_var_run_t : sock_file { write getattr append open } ; 

RHEL6# sesearch -s smbd_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 2 semantic av rules:
   allow smbd_t dirsrv_var_run_t : sock_file { write getattr append open } ; 
DT allow smbd_t dirsrv_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ samba_export_all_rw ]

So by default smbd and winbind are allowed to access the socket.

I Fedora17 I see:

F17# sesearch -s winbind_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 1 semantic av rules:
ET allow nsswitch_domain dirsrv_var_run_t : sock_file { write getattr append open } ; [ authlogin_nsswitch_use_ldap ]

F17# sesearch -s smbd_t -t dirsrv_var_run_t -c sock_file --allow -C
Found 2 semantic av rules:
   allow smbd_t dirsrv_var_run_t : sock_file { write getattr append open } ; 
ET allow nsswitch_domain dirsrv_var_run_t : sock_file { write getattr append open } ; [ authlogin_nsswitch_use_ldap ]


So smbd is allowed by default, but winbind only if authlogin_nsswitch_use_ldap is set. Is there a reason for this difference? If not I will clone this bug for Fedora.

Comment 5 Miroslav Grepl 2012-09-27 16:56:03 UTC

Fixed in Fedora.

Note You need to log in before you can comment on or make changes to this bug.