Re: winbind missing selinux policy in fed 27?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/03/2017 08:37 PM, Lin Pro wrote:

Hi,
I was wondering if winbind package has a default policy included in Fedora 27?
In permissive mode it works as below:
Yes, we have SELinux security policy in Fedora 27 for winbind. Issue here is missing rule to allow winbind_t SELinux domain to mmap files labeled as samba_var_t. 

I'll fix it ASAP in Fedora Rawhide and Fedora 27.

Workaround for this is here:

# cat local_winbind_map.cil
(allow winbind_t samba_var_t (file (map)))

# semodule -i local_winbind_map.cil

Fixes will be part of the next build.

Lukas.


winbind.service - Samba Winbind Daemon
    Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
    Active: active (running) since Tue 2017-10-03 08:16:09 CDT; 5h 17min ago
  Main PID: 1009 (winbindd)
    Status: "winbindd: ready to serve connections..."
     Tasks: 4 (limit: 4915)
    CGroup: /system.slice/winbind.service
            ├─1009 /usr/sbin/winbindd
            ├─1010 /usr/sbin/winbindd
            ├─1066 /usr/sbin/winbindd
            └─1068 /usr/sbin/winbindd


But in Enforcing Mode does not:

[root@fedmember1 ~]# systemctl stop winbind
[root@fedmember1 ~]# setenforce 1
[root@fedmember1 ~]# systemctl start winbind
Job for winbind.service failed because the control process exited with error code.
See "systemctl  status winbind.service" and "journalctl  -xe" for details.


Oct 03 08:07:20 fedmember1 winbindd[685]:   tdb(/var/lib/samba/private/netlogon_creds_cli.tdb): tdb_open_ex: tdb_new_database failed for /var/lib/samba/private/netlogon_creds_cli.tdb: Permission denied
Oct 03 08:07:20 fedmember1 winbindd[685]: [2017/10/03 08:07:20.664239,  0] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
Oct 03 08:07:20 fedmember1 audit[685]: AVC avc:  denied  { map } for  pid=685 comm="winbindd" path="/var/lib/samba/private/netlogon_creds_cli.tdb" dev="dm-0" ino=137059 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0
Oct 03 08:07:20 fedmember1 audit[685]: AVC avc:  denied  { map } for  pid=685 comm="winbindd" path="/var/lib/samba/private/secrets.tdb" dev="dm-0" ino=137051 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0
Oct 03 08:07:20 fedmember1 audit[685]: AVC avc:  denied  { map } for  pid=685 comm="winbindd" path="/var/lib/samba/lock/names.tdb" dev="dm-0" ino=137022 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0

Any hints are welcome how to fix it

Thank you
Lin
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux