SELinux preventing login (Fedora 16)
Braden McDaniel
braden at endoframe.com
Tue Apr 17 02:07:46 UTC 2012
On Fri, 2012-04-13 at 10:31 -0400, Daniel J Walsh wrote:
[snip]
> Basically in Fedora 16 we turned off the ability for apps that did getpw()
> from being able to connect to the ldap port, by default. Turning that boolean
> on, allows all domains that call getpw to connect to the ldap port. We turned
> this off because sssd now connects to ldap if it is setup and apps calling
> getpw talk to sssd rather then ldap. We have seen some daemons (samba) that
> talk directly that we have broken with this change, but I believe the fixes
> are going into Fedora now.
Is this such an example? I get this when using system-config-samba.
SELinux is preventing /usr/bin/python from open access on the chr_file urandom.
***** Plugin catchall_boolean (47.5 confidence) suggests *******************
If you want to allow users to login using a sssd server
Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap'boolean.
Do
setsebool -P authlogin_nsswitch_use_ldap 1
***** Plugin catchall_boolean (47.5 confidence) suggests *******************
If you want to enable reading of urandom for all domains.
Then you must tell SELinux about this by enabling the 'global_ssp'boolean.
Do
setsebool -P global_ssp 1
***** Plugin catchall (6.38 confidence) suggests ***************************
If you believe that python should be allowed open access on the urandom chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep system-config-s /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:sambagui_t:s0-s0:c0.c1023
Target Context system_u:object_r:urandom_device_t:s0
Target Objects urandom [ chr_file ]
Source system-config-s
Source Path /usr/bin/python
Port <Unknown>
Host rail.endoframe.net
Source RPM Packages python-2.7.2-5.2.fc16.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name rail.endoframe.net
Platform Linux rail.endoframe.net 3.3.1-5.fc16.x86_64 #1
SMP Tue Apr 10 19:56:52 UTC 2012 x86_64 x86_64
Alert Count 2
First Seen Mon 16 Apr 2012 06:49:45 PM EDT
Last Seen Mon 16 Apr 2012 06:52:51 PM EDT
Local ID 331208b1-df87-4aa1-bddf-60ae4685f12d
Raw Audit Messages
type=AVC msg=audit(1334616771.522:793): avc: denied { open } for pid=16042 comm="system-config-s" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:sambagui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1334616771.522:793): arch=x86_64 syscall=open success=yes exit=ECHILD a0=148c4d0 a1=0 a2=1ff a3=20 items=0 ppid=16041 pid=16042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=system-config-s exe=/usr/bin/python subj=system_u:system_r:sambagui_t:s0-s0:c0.c1023 key=(null)
Hash: system-config-s,sambagui_t,urandom_device_t,chr_file,open
audit2allow
#============= sambagui_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# authlogin_nsswitch_use_ldap, global_ssp
allow sambagui_t urandom_device_t:chr_file open;
audit2allow -R
#============= sambagui_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# authlogin_nsswitch_use_ldap, global_ssp
allow sambagui_t urandom_device_t:chr_file open;
--
Braden McDaniel <braden at endoframe.com>
More information about the users
mailing list