On 10/03/2017 08:37 PM, Lin Pro wrote:
Hi,
I was wondering if winbind package has a default policy included in Fedora 27?
In permissive mode it works as below:
Yes, we have SELinux security policy in Fedora 27 for winbind. Issue
here is missing rule to allow winbind_t SELinux domain to mmap files
labeled as samba_var_t.
I'll fix it ASAP in Fedora Rawhide and Fedora 27.
Workaround for this is here:
# cat local_winbind_map.cil
(allow winbind_t samba_var_t (file (map)))
# semodule -i local_winbind_map.cil
Fixes will be part of the next build.
Lukas.
winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset:
disabled)
Active: active (running) since Tue 2017-10-03 08:16:09 CDT; 5h 17min ago
Main PID: 1009 (winbindd)
Status: "winbindd: ready to serve connections..."
Tasks: 4 (limit: 4915)
CGroup: /system.slice/winbind.service
├─1009 /usr/sbin/winbindd
├─1010 /usr/sbin/winbindd
├─1066 /usr/sbin/winbindd
└─1068 /usr/sbin/winbindd
But in Enforcing Mode does not:
[root@fedmember1 ~]# systemctl stop winbind
[root@fedmember1 ~]# setenforce 1
[root@fedmember1 ~]# systemctl start winbind
Job for winbind.service failed because the control process exited with error code.
See "systemctl status winbind.service" and "journalctl -xe" for
details.
Oct 03 08:07:20 fedmember1 winbindd[685]:
tdb(/var/lib/samba/private/netlogon_creds_cli.tdb): tdb_open_ex: tdb_new_database failed
for /var/lib/samba/private/netlogon_creds_cli.tdb: Permission denied
Oct 03 08:07:20 fedmember1 winbindd[685]: [2017/10/03 08:07:20.664239, 0]
../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685
comm="winbindd" path="/var/lib/samba/private/netlogon_creds_cli.tdb"
dev="dm-0" ino=137059 scontext=system_u:system_r:winbind_t:s0
tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0
Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685
comm="winbindd" path="/var/lib/samba/private/secrets.tdb"
dev="dm-0" ino=137051 scontext=system_u:system_r:winbind_t:s0
tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0
Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685
comm="winbindd" path="/var/lib/samba/lock/names.tdb"
dev="dm-0" ino=137022 scontext=system_u:system_r:winbind_t:s0
tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0
Any hints are welcome how to fix it
Thank you
Lin
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.