Hi, I was wondering if winbind package has a default policy included in Fedora 27? In permissive mode it works as below:
winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2017-10-03 08:16:09 CDT; 5h 17min ago Main PID: 1009 (winbindd) Status: "winbindd: ready to serve connections..." Tasks: 4 (limit: 4915) CGroup: /system.slice/winbind.service ├─1009 /usr/sbin/winbindd ├─1010 /usr/sbin/winbindd ├─1066 /usr/sbin/winbindd └─1068 /usr/sbin/winbindd
But in Enforcing Mode does not:
[root@fedmember1 ~]# systemctl stop winbind [root@fedmember1 ~]# setenforce 1 [root@fedmember1 ~]# systemctl start winbind Job for winbind.service failed because the control process exited with error code. See "systemctl status winbind.service" and "journalctl -xe" for details.
Oct 03 08:07:20 fedmember1 winbindd[685]: tdb(/var/lib/samba/private/netlogon_creds_cli.tdb): tdb_open_ex: tdb_new_database failed for /var/lib/samba/private/netlogon_creds_cli.tdb: Permission denied Oct 03 08:07:20 fedmember1 winbindd[685]: [2017/10/03 08:07:20.664239, 0] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/private/netlogon_creds_cli.tdb" dev="dm-0" ino=137059 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0 Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/private/secrets.tdb" dev="dm-0" ino=137051 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0 Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/lock/names.tdb" dev="dm-0" ino=137022 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0
Any hints are welcome how to fix it
Thank you Lin
On 10/03/2017 08:37 PM, Lin Pro wrote:
Hi, I was wondering if winbind package has a default policy included in Fedora 27? In permissive mode it works as below:
Yes, we have SELinux security policy in Fedora 27 for winbind. Issue here is missing rule to allow winbind_t SELinux domain to mmap files labeled as samba_var_t.
I'll fix it ASAP in Fedora Rawhide and Fedora 27.
Workaround for this is here:
# cat local_winbind_map.cil (allow winbind_t samba_var_t (file (map)))
# semodule -i local_winbind_map.cil
Fixes will be part of the next build.
Lukas.
winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2017-10-03 08:16:09 CDT; 5h 17min ago Main PID: 1009 (winbindd) Status: "winbindd: ready to serve connections..." Tasks: 4 (limit: 4915) CGroup: /system.slice/winbind.service ├─1009 /usr/sbin/winbindd ├─1010 /usr/sbin/winbindd ├─1066 /usr/sbin/winbindd └─1068 /usr/sbin/winbindd
But in Enforcing Mode does not:
[root@fedmember1 ~]# systemctl stop winbind [root@fedmember1 ~]# setenforce 1 [root@fedmember1 ~]# systemctl start winbind Job for winbind.service failed because the control process exited with error code. See "systemctl status winbind.service" and "journalctl -xe" for details.
Oct 03 08:07:20 fedmember1 winbindd[685]: tdb(/var/lib/samba/private/netlogon_creds_cli.tdb): tdb_open_ex: tdb_new_database failed for /var/lib/samba/private/netlogon_creds_cli.tdb: Permission denied Oct 03 08:07:20 fedmember1 winbindd[685]: [2017/10/03 08:07:20.664239, 0] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/private/netlogon_creds_cli.tdb" dev="dm-0" ino=137059 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0 Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/private/secrets.tdb" dev="dm-0" ino=137051 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0 Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/lock/names.tdb" dev="dm-0" ino=137022 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0
Any hints are welcome how to fix it
Thank you Lin _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org