SELinux, Samba, & Winbind
Kloc, Alisha
Alisha.Kloc at boeing.com
Wed Jul 21 18:34:33 UTC 2010
Hello list,
I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But every time I try to do anything - join a domain, run a test join, change configuration settings, basically anything that calls any object related to Samba or Winbind - SELinux blocks it.
Disabling protection for the winbind daemon in the boolean settings changes SELinux to blocking /var/run/winbindd/pipe instead. I've run restorecon where possible, and done a full relabel of the whole system, multiple times. Nothing changes. I haven't moved any system files and I'm following the official Samba setup documentation.
I'm utterly at a loss. Something must be broken because I can't imagine a default SELinux policy that blocks all Samba/Winbind activity would have made it past RHEL5's quality control. But I can't figure out what it is.
Please help!
Thanks in advance,
-Alisha
_____________________________________
[root at myhost ~]# net ads testjoin
[2010/07/21 18:28:39.357159, 0] libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: failed to create directory /var/lib/samba/smb_krb5. Error was Permission denied
[2010/07/21 18:28:39.359054, 0] libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: failed to create directory /var/lib/samba/smb_krb5. Error was Permission denied
Join is OK
_____________________________________
Summary:
SELinux is preventing the net from using potentially mislabeled files (/tmp/.winbindd).
Detailed Description
SELinux has denied net access to potentially mislabeled file(s) (/tmp/.winbindd). This means that SELinux will not allow net to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access.
Allowing Access
If you want net to access this files, you need to relabel them using restorecon -v '/tmp/.winbindd'. You might want to relabel the entire directory using restorecon -R -v '/tmp/.winbindd'.
Additional Information
Source Context: root:system_r:samba_net_t:SystemLow-SystemHighTarget Context: system_u:object_r:winbind_tmp_t
Target Objects: /tmp/.winbindd [ dir ]
Source: net
Source Path: /usr/bin/net
Port: <Unknown>
Host: <my-hostname>
Source RPM Packages: samba3-client-3.5.4-43.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-137.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: home_tmp_bad_labels
Host Name: <my-hostname>
Platform: Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686
Alert Count: 24
First Seen: Wed 21 Jul 2010 05:56:30 PM GMT
Last Seen: Wed 21 Jul 2010 06:08:40 PM GMT
Local ID: 0c95a6b7-9a92-4950-bb1d-9b74686685ea
Line Numbers:
Raw Audit Messages :
host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied { getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3 ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir
host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120): arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
______________________________________
Summary:
SELinux is preventing net (samba_net_t) "read" to ./filesystems (proc_t).
Detailed Description:
SELinux denied access requested by net. It is not expected that this access is required by net and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./filesystems,
restorecon -v './filesystems'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:samba_net_t:SystemLow-SystemHigh
Target Context system_u:object_r:proc_t
Target Objects ./filesystems [ file ]
Source net
Source Path /usr/bin/net
Port <Unknown>
Host <my-hostname>
Source RPM Packages samba3-client-3.5.4-43.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name <my-hostname>
Platform Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686
Alert Count 12
First Seen Wed 21 Jul 2010 05:56:30 PM GMT
Last Seen Wed 21 Jul 2010 06:08:39 PM GMT
Local ID 1f71cc35-0ccc-4104-8c99-5158849a8cb1
Line Numbers
Raw Audit Messages
host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc: denied { read } for pid=7064 comm="net" name="filesystems" dev=proc ino=-268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
host=<my-hostname> type=SYSCALL msg=audit(1279735719.957:114): arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0 a3=8000 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
_____________________________________
More information about the selinux
mailing list