Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 229466 - SELinux prevents automatic addition of machine accounts in a Samba PDC
Summary: SELinux prevents automatic addition of machine accounts in a Samba PDC
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 235360
TreeView+ depends on / blocked
 
Reported: 2007-02-21 12:04 UTC by Markku Kolkka
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 2.4.6-69
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-29 10:04:55 UTC


Attachments (Terms of Use)
Try this policy package. (deleted)
2007-02-22 16:53 UTC, Daniel Walsh
no flags Details

Description Markku Kolkka 2007-02-21 12:04:37 UTC
Description of problem:
The Fedora machine is set up as a Samba PDC, but trying to join a Windows
machine in the domain fails if SELinux is in enforcing mode, the samba log shows
that machine account creation failed. In permissive mode joining succeeds, but
with a large number of SELinux alerts.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-40.fc6

How reproducible:
always

Steps to Reproduce:
1. Setup Samba as a primary domain controller
2. Log in a Windows machine and try to join the domain created in step 1.
  
Actual results:
The machine account isn't created and joining fails.

Expected results:
The Windows macine is added to the domain and a machine account created.

Additional info:
The error in smb.log when trying to add a machine "opetus5" to the domain with
SELinux in enforcing mode:
[2007/02/21 13:31:43, 0] passdb/pdb_interface.c:pdb_default_create_user(368)
  _samr_create_user: Running the command `/usr/sbin/adduser -n -g machines -c Ma
chine -d /dev/null -s /bin/false opetus5$' gave 82

Comment 1 Daniel Walsh 2007-02-21 15:47:07 UTC
Please grab the avc messages from /var/log/audit/audit.log or /var/log/messages.

Comment 2 Markku Kolkka 2007-02-22 08:31:29 UTC
The message while in enforcing mode:
avc: denied { search } for comm="smbd" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bin" 
pid=2748 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir 
tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 

In permissive mode:
avc: denied { lock } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=".pwd.lock" 
path="/etc/.pwd.lock" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:shadow_t:s0 tty=(none) uid=0 

avc: denied { write } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=5 fsgid=0 fsuid=0 gid=0 items=0 
name="passwd.2926" path="/etc/passwd.2926" pid=2926 
scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 
suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0

avc: denied { read } for comm="adduser" dev=dm-2 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="useradd" 
path="/usr/sbin/useradd" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:useradd_exec_t:s0 tty=(none) uid=0 

avc: denied { create } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=6 fsgid=0 fsuid=0 gid=0 items=0 
name="passwd.2926" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0

avc: denied { read, write } for comm="adduser" dev=dm-3 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=10 fsgid=0 fsuid=0 gid=0 items=0 name="faillog" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:faillog_t:s0 tty=(none) uid=0

avc: denied { read, write } for comm="adduser" dev=dm-3 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=10 fsgid=0 fsuid=0 gid=0 items=0 name="lastlog" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:lastlog_t:s0 tty=(none) uid=0 

avc: denied { unlink } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 

avc: denied { setattr } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd-" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 

avc: denied { create } for comm="adduser" egid=0 euid=0 
exe="/usr/sbin/useradd" exit=6 fsgid=0 fsuid=0 gid=0 items=0 name="passwd+" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 

avc: denied { setattr } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd+" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 


Comment 3 Daniel Walsh 2007-02-22 16:53:02 UTC
Created attachment 148597 [details]
Try this policy package.

Save this attachment to a directory my itself and name it mysamba.te
Install selinux-policy-devel
# yum -y install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysamba.pp

Now try samba in enforcing mode and see if it works.	I will update fc6 with
this policy if it does.

Comment 4 Markku Kolkka 2007-02-23 10:43:42 UTC
After installing the above policy package joining the domain works, but with a 
SELinux message: SELinux is preventing /usr/sbin/useradd (useradd_t) "append" 
to /var/log/samba/smbd.log (samba_log_t).

avc: denied { append } for comm="adduser" dev=dm-3 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="smbd.log" 
path="/var/log/samba/smbd.log" pid=2588 
scontext=system_u:system_r:useradd_t:s0 sgid=0 
subj=system_u:system_r:useradd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0 

Comment 5 Daniel Walsh 2007-03-20 16:04:02 UTC
Fixed in selinux-policy-2.4.6-46

Comment 6 Markku Kolkka 2007-03-27 08:25:27 UTC
I can't test joining machines at the moment, but selinux-policy-2.4.6-46 breaks
user management with User Manager for Domains. Adding or deleting users causes
SELinux denials, and probably the same would happen with machine accounts.

avc: denied { search } for comm="smbd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bin" pid=3068
scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 

Comment 7 Daniel Walsh 2007-03-27 13:56:28 UTC
Fixed in selinux-policy-2.4.6-48

Comment 8 Markku Kolkka 2007-04-04 08:55:47 UTC
With selinux-policy-targeted-2.4.6-49.fc6 User Manager for Domains remains
broken, but the error has changed. Trying to add a new user gives:

avc: denied { read } for comm="smbd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/smbd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="sh" pid=3059
scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0
suid=0 tclass=lnk_file tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 

Comment 9 Daniel Walsh 2007-04-05 13:17:10 UTC
Fixed in selinux-policy-2.4.6-52

Comment 10 Markku Kolkka 2007-04-12 09:33:17 UTC
I tested again joining machines to the domain with 
selinux-policy-targeted-2.4.6-54.fc6 and it still doesn't work. The denial 
messages keep changing with each version but the final result remains the 
same. This time the message is:

avc: denied { read } for comm="sh" dev=dm-2 egid=0 euid=0 exe="/bin/bash" 
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="adduser" pid=2710 
scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 
suid=0 tclass=lnk_file tcontext=system_u:object_r:sbin_t:s0 tty=(none) uid=0 

Comment 11 Daniel Walsh 2007-04-12 13:03:22 UTC
If you add that this allow rule using

grep smbd_t /var/log/audit/audit.log | audit2allow -M mysamba
semodule -i mysamba.pp

Does it work?

If not, try setenforce 0 and gather all the AVC messages.

We have tested this on FC7/Rawhide and it is working now.
I will add a rule to allow this in the next build, but I want to fix this.


Comment 12 Markku Kolkka 2007-04-13 09:36:57 UTC
> grep smbd_t /var/log/audit/audit.log | audit2allow -M mysamba
> semodule -i mysamba.pp

Yes, this worked.


Comment 13 Daniel Walsh 2007-05-17 16:28:52 UTC
Fixed in selinux-policy-2.4.6-69


Note You need to log in before you can comment on or make changes to this bug.