Re: winbindd avc errors

[Jim Cornette <jim-cornette@xxxxxxxxxxxxxx>]

Karsten Wade wrote:
> On Sat, 2004-12-18 at 21:39 -0500, Jim Cornette wrote:
>
> > I am trying to run some samba related programs and found that the 
> > winbindd program causes some avc errors. I did a
> > touch /.autorelabel
> > and noticed that the errors were still present with this daemon. I did 
> > not configure anything for this program. Attached is the avc errors for 
> > today. I disabled the daemon and have no errors now.
>
>
> Do you have the latest policy?  winbind policy was added, and it appears
> to allow all the denials you have below.  I'm looking at 1.17.30-2.50.
> I know there was no winbind in 2.43 (iirc).

These errors are with selinux-policy-targeted-1.17.30-2.51 installed and
the system relabelled.

I just started the daemon again and have similar errors reported.

I then setenforced 0 and started then stopped the service. The startup 
succeeded and the shutdown service succeded. When in the enforcing mode, 
startup succeeded, but shutdown failed. Excerpt from the log below.

Jim

Dec 19 14:29:33 cornette-fc3-lt winbindd[3292]: [2004/12/19 14:29:33, 0] 
lib/util_sock.c:create_pipe_sock(1079)
Dec 19 14:29:33 cornette-fc3-lt winbindd[3292]:   bind failed on pipe 
socket /var/run/winbindd/pipe: Permission denied
Dec 19 14:29:33 cornette-fc3-lt kernel: audit(1103484573.789:0): avc: 
denied  { create } for  pid=3292 exe=/usr/sbin/winbindd name=pipe 
scontext=root:system_r:winbind_t tcontext=root:object_r:var_run_t 
tclass=sock_file
Dec 19 14:29:39 cornette-fc3-lt winbind: winbindd shutdown failed




> - Karsten
>
> > Thanks,
> >
> > Jim
> > plain text document attachment (winbindd.errors)
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.233:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.234:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.235:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.236:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.236:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.237:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.290:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.290:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.291:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.356:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.357:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.357:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.358:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.359:0): avc:  denied  { create } for  pid=2137 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:53 cornette-fc3-lt kernel: audit(1103397413.455:0): avc:  denied  { create } for  pid=2139 exe=/usr/sbin/winbindd name=netsamlogon_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file
> > Dec 18 14:16:54 cornette-fc3-lt kernel: audit(1103397414.324:0): avc:  denied  { create } for  pid=2139 exe=/usr/sbin/winbindd name=winbindd_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file
> > Dec 18 14:16:54 cornette-fc3-lt kernel: audit(1103397414.324:0): avc:  denied  { create } for  pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc:  denied  { create } for  pid=2139 exe=/usr/sbin/winbindd name=winbindd scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:var_run_t tclass=dir
> > Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc:  denied  { create } for  pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 14:16:55 cornette-fc3-lt kernel: audit(1103397415.218:0): avc:  denied  { create } for  pid=2139 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:49:07 cornette-fc3-lt dbus: avc:  1 AV entries and 1/512 buckets used, longest chain length 1 
> > Dec 18 15:54:00 cornette-fc3-lt dbus: avc:  1 AV entries and 1/512 buckets used, longest chain length 1 
> > Dec 18 15:54:12 cornette-fc3-lt dbus: avc:  1 AV entries and 1/512 buckets used, longest chain length 1 
> > Dec 18 15:59:09 cornette-fc3-lt kernel: audit(1103403334.306:0): avc:  granted  { setenforce } for  pid=212 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
> > Dec 18 15:59:09 cornette-fc3-lt kernel: audit(1103403523.164:0): avc:  granted  { setenforce } for  pid=212 exe=/bin/bash scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.176:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.177:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.178:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.179:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.179:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.218:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.218:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.219:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.299:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.300:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.301:0): avc:  denied  { create } for  pid=2190 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:33 cornette-fc3-lt kernel: audit(1103403573.412:0): avc:  denied  { create } for  pid=2191 exe=/usr/sbin/winbindd name=netsamlogon_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file
> > Dec 18 15:59:34 cornette-fc3-lt kernel: audit(1103403574.278:0): avc:  denied  { create } for  pid=2191 exe=/usr/sbin/winbindd name=winbindd_cache.tdb scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_var_t tclass=file
> > Dec 18 15:59:34 cornette-fc3-lt kernel: audit(1103403574.278:0): avc:  denied  { create } for  pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.585:0): avc:  denied  { create } for  pid=2191 exe=/usr/sbin/winbindd name=winbindd scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:var_run_t tclass=dir
> > Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.585:0): avc:  denied  { create } for  pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 15:59:35 cornette-fc3-lt kernel: audit(1103403575.586:0): avc:  denied  { create } for  pid=2191 exe=/usr/sbin/winbindd name=winbindd.log scontext=user_u:system_r:winbind_t tcontext=user_u:object_r:samba_log_t tclass=file
> > Dec 18 16:11:18 cornette-fc3-lt dbus: avc:  1 AV entries and 1/512 buckets used, longest chain length 1 
> > Dec 18 16:13:54 cornette-fc3-lt dbus: avc:  0 AV entries and 0/512 buckets used, longest chain length 0 
> > Dec 18 16:31:46 cornette-fc3-lt dbus: avc:  1 AV entries and 1/512 buckets used, longest chain length 1 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > http://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
Anything worth doing is worth overdoing.