Description of problem: SELinux is preventing /usr/sbin/nmbd from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that nmbd should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nmbd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:nmbd_t:s0 Target Context system_u:system_r:nmbd_t:s0 Target Objects [ capability ] Source nmbd Source Path /usr/sbin/nmbd Port <Unknown> Host (removed) Source RPM Packages samba-4.0.0-174.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.4-204.fc18.x86_64 #1 SMP Wed Jan 23 16:44:29 UTC 2013 x86_64 x86_64 Alert Count 4 First Seen 2013-01-26 17:30:01 CST Last Seen 2013-01-26 18:10:04 CST Local ID 09889cc0-7397-4467-940d-adf237dd4551 Raw Audit Messages type=AVC msg=audit(1359245404.374:369): avc: denied { dac_override } for pid=3662 comm="nmbd" capability=1 scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=capability type=AVC msg=audit(1359245404.374:369): avc: denied { dac_read_search } for pid=3662 comm="nmbd" capability=2 scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=capability type=SYSCALL msg=audit(1359245404.374:369): arch=x86_64 syscall=open success=no exit=EACCES a0=33d9823860 a1=0 a2=0 a3=7fffd7684140 items=0 ppid=1278 pid=3662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=nmbd exe=/usr/sbin/nmbd subj=system_u:system_r:nmbd_t:s0 key=(null) Hash: nmbd,nmbd_t,nmbd_t,capability,dac_override audit2allow #============= nmbd_t ============== allow nmbd_t self:capability { dac_read_search dac_override }; audit2allow -R #============= nmbd_t ============== allow nmbd_t self:capability { dac_read_search dac_override }; Additional info: hashmarkername: setroubleshoot kernel: 3.7.4-204.fc18.x86_64 type: libreport Potential duplicate: bug 829139
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent
I'm not sure how to undo my policy change that the SELinux Troubleshooter suggested. Is there a log I could look at that would help? I just enabled nmbd to run at startup, and started reciving policy errors.
What policy did you add? Something like semodule -r mypol If you named the policy mypol
Thanks Daniel. Yes that was it, mypol. I have removed that policy, but now I cannot replicate the error. I have been pushed samba and policy updates, so I'm not sure if it's possible that one of those updates corrected the issue. Do I need to relabel the system after removing my policy?
You don't need to do it in this case. Let's close this bug for now and please reopen if this happens again. Thank you.
It too am getting exactly the same alert, a couple of times a day. Nothing obvious seems to be prompting this.
Pat can you try the auditctl commands above and the next time the AVC happens attach it.
Created attachment 697831 [details] Output of "ausearch -m avc -ts recent" Output of "ausearch -m avc -ts recent"
Any reason why nmbd would need to read /etc/shadow?
Ok I think we should allow these capabilities if you turn on the samba_export_all_ro or samba_export_all_rw booleans. Not sure if we should allow it otherwise.
(In reply to comment #9) > Any reason why nmbd would need to read /etc/shadow? I was hoping you'd tell me :) Anyway, I've set samba_export_all_rw boolean. Could it perhaps be because there is a disk mounted on /data which is shared via samba without the correct selinux labelling? In any case, the sealert shows up with sufficient regularity that I should know if that solved it within a day or two I should think.
Also should allow for samba_enable_home_dirs as well.
Ok, still getting alerts with: time->Sat Feb 16 18:16:01 2013 type=SYSCALL msg=audit(1361038561.654:184): arch=c000003e syscall=2 success=no exit=-13 a0=331302394c a1=0 a2=0 a3=7fffdb362970 items=0 ppid=1235 pid=5773 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="nmbd" exe="/usr/sbin/nmbd" subj=system_u:system_r:nmbd_t:s0 key=(null) type=AVC msg=audit(1361038561.654:184): avc: denied { read } for pid=5773 comm="nmbd" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file I've noticed a boolean called "global_ssp" which enables reading of urandom from all domains. Should I enable this?
I added fixes.
selinux-policy-3.11.1-79.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-79.fc18
I see the changelog for selinux-policy-3.11.1-79.fc18 shows "Allow nmbd to read /dev/random" while my audit log showed a denial for urandom - was that just a typo in the chagelog?
Yes, this is a typo. We have these rules now dev_read_rand(nmbd_t) dev_read_urand(nmbd_t)
Ok. Installed the updated package so I'll have to wait and see if the alert re-occurs.
selinux-policy-3.11.1-79.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.