SELinux preventing login (Fedora 16)

Daniel J Walsh dwalsh at redhat.com
Tue Apr 17 12:27:58 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2012 10:07 PM, Braden McDaniel wrote:
> On Fri, 2012-04-13 at 10:31 -0400, Daniel J Walsh wrote:
> 
> [snip]
> 
>> Basically in Fedora 16 we turned off the ability for apps that did
>> getpw() from being able to connect to the ldap port, by default.  Turning
>> that boolean on, allows all domains that call getpw to connect to the
>> ldap port.  We turned this off because sssd now connects to ldap if it is
>> setup and apps calling getpw talk to sssd rather then ldap.  We have seen
>> some daemons (samba) that talk directly that we have broken with this
>> change, but I believe the fixes are going into Fedora now.
> 
Yes, It certainly looks like we should allow sambagui_t to access the ldap
server without turning on the boolean.


> Is this such an example?  I get this when using system-config-samba.
> 
> SELinux is preventing /usr/bin/python from open access on the chr_file
> urandom.
> 
> *****  Plugin catchall_boolean (47.5 confidence) suggests
> *******************
> 
> If you want to allow users to login using a sssd server Then you must tell
> SELinux about this by enabling the 'authlogin_nsswitch_use_ldap'boolean. 
> Do setsebool -P authlogin_nsswitch_use_ldap 1
> 
> *****  Plugin catchall_boolean (47.5 confidence) suggests
> *******************
> 
> If you want to enable reading of urandom for all domains. Then you must
> tell SELinux about this by enabling the 'global_ssp'boolean. Do setsebool
> -P global_ssp 1
> 
> *****  Plugin catchall (6.38 confidence) suggests
> ***************************
> 
> If you believe that python should be allowed open access on the urandom
> chr_file by default. Then you should report this as a bug. You can generate
> a local policy module to allow this access. Do allow this access for now by
> executing: # grep system-config-s /var/log/audit/audit.log | audit2allow -M
> mypol # semodule -i mypol.pp
> 
> Additional Information: Source Context
> system_u:system_r:sambagui_t:s0-s0:c0.c1023 Target Context
> system_u:object_r:urandom_device_t:s0 Target Objects                urandom
> [ chr_file ] Source                        system-config-s Source Path
> /usr/bin/python Port                          <Unknown> Host
> rail.endoframe.net Source RPM Packages
> python-2.7.2-5.2.fc16.x86_64 Target RPM Packages Policy RPM
> selinux-policy-3.10.0-80.fc16.noarch Selinux Enabled               True 
> Policy Type                   targeted Enforcing Mode
> Permissive Host Name                     rail.endoframe.net Platform
> Linux rail.endoframe.net 3.3.1-5.fc16.x86_64 #1 SMP Tue Apr 10 19:56:52 UTC
> 2012 x86_64 x86_64 Alert Count                   2 First Seen
> Mon 16 Apr 2012 06:49:45 PM EDT Last Seen                     Mon 16 Apr
> 2012 06:52:51 PM EDT Local ID
> 331208b1-df87-4aa1-bddf-60ae4685f12d
> 
> Raw Audit Messages type=AVC msg=audit(1334616771.522:793): avc:  denied  {
> open } for  pid=16042 comm="system-config-s" name="urandom" dev="devtmpfs"
> ino=1033 scontext=system_u:system_r:sambagui_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> 
> 
> type=SYSCALL msg=audit(1334616771.522:793): arch=x86_64 syscall=open
> success=yes exit=ECHILD a0=148c4d0 a1=0 a2=1ff a3=20 items=0 ppid=16041
> pid=16042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm=system-config-s exe=/usr/bin/python
> subj=system_u:system_r:sambagui_t:s0-s0:c0.c1023 key=(null)
> 
> Hash: system-config-s,sambagui_t,urandom_device_t,chr_file,open
> 
> audit2allow
> 
> #============= sambagui_t ============== #!!!! This avc can be allowed
> using one of the these booleans: #     authlogin_nsswitch_use_ldap,
> global_ssp
> 
> allow sambagui_t urandom_device_t:chr_file open;
> 
> audit2allow -R
> 
> #============= sambagui_t ============== #!!!! This avc can be allowed
> using one of the these booleans: #     authlogin_nsswitch_use_ldap,
> global_ssp
> 
> allow sambagui_t urandom_device_t:chr_file open;
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+NYc4ACgkQrlYvE4MpobMCiwCgysm2rDbGq/aA2fA5ig7SIH1S
xo4An1A2gqtY3pRPEY2vuUraGB8CS5/A
=StFz
-----END PGP SIGNATURE-----

More information about the users mailing list