Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 235360 - SELinux prevents automatic addition of machine accounts in a Samba PDC
Summary: SELinux prevents automatic addition of machine accounts in a Samba PDC
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On: 229466
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-05 13:17 UTC by Daniel Walsh
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-07 16:38:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description Daniel Walsh 2007-04-05 13:17:33 UTC
+++ This bug was initially created as a clone of Bug #229466 +++

Description of problem:
The Fedora machine is set up as a Samba PDC, but trying to join a Windows
machine in the domain fails if SELinux is in enforcing mode, the samba log shows
that machine account creation failed. In permissive mode joining succeeds, but
with a large number of SELinux alerts.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-40.fc6

How reproducible:
always

Steps to Reproduce:
1. Setup Samba as a primary domain controller
2. Log in a Windows machine and try to join the domain created in step 1.
  
Actual results:
The machine account isn't created and joining fails.

Expected results:
The Windows macine is added to the domain and a machine account created.

Additional info:
The error in smb.log when trying to add a machine "opetus5" to the domain with
SELinux in enforcing mode:
[2007/02/21 13:31:43, 0] passdb/pdb_interface.c:pdb_default_create_user(368)
  _samr_create_user: Running the command `/usr/sbin/adduser -n -g machines -c Ma
chine -d /dev/null -s /bin/false opetus5$' gave 82

-- Additional comment from dwalsh@redhat.com on 2007-02-21 10:47 EST --
Please grab the avc messages from /var/log/audit/audit.log or /var/log/messages.

-- Additional comment from markku.kolkka@iki.fi on 2007-02-22 03:31 EST --
The message while in enforcing mode:
avc: denied { search } for comm="smbd" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bin" 
pid=2748 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=dir 
tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 

In permissive mode:
avc: denied { lock } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=".pwd.lock" 
path="/etc/.pwd.lock" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:shadow_t:s0 tty=(none) uid=0 

avc: denied { write } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=5 fsgid=0 fsuid=0 gid=0 items=0 
name="passwd.2926" path="/etc/passwd.2926" pid=2926 
scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 
suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0

avc: denied { read } for comm="adduser" dev=dm-2 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="useradd" 
path="/usr/sbin/useradd" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:useradd_exec_t:s0 tty=(none) uid=0 

avc: denied { create } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=6 fsgid=0 fsuid=0 gid=0 items=0 
name="passwd.2926" pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0

avc: denied { read, write } for comm="adduser" dev=dm-3 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=10 fsgid=0 fsuid=0 gid=0 items=0 name="faillog" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:faillog_t:s0 tty=(none) uid=0

avc: denied { read, write } for comm="adduser" dev=dm-3 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=10 fsgid=0 fsuid=0 gid=0 items=0 name="lastlog" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:lastlog_t:s0 tty=(none) uid=0 

avc: denied { unlink } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 

avc: denied { setattr } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd-" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 

avc: denied { create } for comm="adduser" egid=0 euid=0 
exe="/usr/sbin/useradd" exit=6 fsgid=0 fsuid=0 gid=0 items=0 name="passwd+" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 

avc: denied { setattr } for comm="adduser" dev=dm-0 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="passwd+" 
pid=2926 scontext=system_u:system_r:smbd_t:s0 sgid=0 
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file 
tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 


-- Additional comment from dwalsh@redhat.com on 2007-02-22 11:53 EST --
Created an attachment (id=148597)
Try this policy package.

Save this attachment to a directory my itself and name it mysamba.te
Install selinux-policy-devel
# yum -y install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysamba.pp

Now try samba in enforcing mode and see if it works.	I will update fc6 with
this policy if it does.

-- Additional comment from markku.kolkka@iki.fi on 2007-02-23 05:43 EST --
After installing the above policy package joining the domain works, but with a 
SELinux message: SELinux is preventing /usr/sbin/useradd (useradd_t) "append" 
to /var/log/samba/smbd.log (samba_log_t).

avc: denied { append } for comm="adduser" dev=dm-3 egid=0 euid=0 
exe="/usr/sbin/useradd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="smbd.log" 
path="/var/log/samba/smbd.log" pid=2588 
scontext=system_u:system_r:useradd_t:s0 sgid=0 
subj=system_u:system_r:useradd_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0 

-- Additional comment from dwalsh@redhat.com on 2007-03-20 12:04 EST --
Fixed in selinux-policy-2.4.6-46

-- Additional comment from markku.kolkka@iki.fi on 2007-03-27 04:25 EST --
I can't test joining machines at the moment, but selinux-policy-2.4.6-46 breaks
user management with User Manager for Domains. Adding or deleting users causes
SELinux denials, and probably the same would happen with machine accounts.

avc: denied { search } for comm="smbd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bin" pid=3068
scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 

-- Additional comment from dwalsh@redhat.com on 2007-03-27 09:56 EST --
Fixed in selinux-policy-2.4.6-48

-- Additional comment from markku.kolkka@iki.fi on 2007-04-04 04:55 EST --
With selinux-policy-targeted-2.4.6-49.fc6 User Manager for Domains remains
broken, but the error has changed. Trying to add a new user gives:

avc: denied { read } for comm="smbd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/smbd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="sh" pid=3059
scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0
suid=0 tclass=lnk_file tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 

-- Additional comment from dwalsh@redhat.com on 2007-04-05 09:17 EST --
Fixed in selinux-policy-2.4.6-52

Comment 1 RHEL Product and Program Management 2007-04-05 13:23:34 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 5 errata-xmlrpc 2007-11-07 16:38:56 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html



Note You need to log in before you can comment on or make changes to this bug.