Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452082 - winbindd is denied write access to secrets.tdb
Summary: winbindd is denied write access to secrets.tdb
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.6
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-19 08:30 UTC by Petr Šplíchal
Modified: 2016-06-01 01:36 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-23 10:38:51 UTC


Attachments (Terms of Use)

Description Petr Šplíchal 2008-06-19 08:30:48 UTC
After joining a domain (net rpc join) winbind is unable to start because it is
denied to access /etc/samba/secrets.tdb.

Tested with:
selinux-policy-targeted-1.17.30-2.149.noarch
samba-3.0.28-0.el4.5.s390

Related RHTS Job:
http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=24007

/var/log/samba/winbindd.log:
[2008/06/19 04:15:31, 0] passdb/secrets.c:secrets_init(67)
  Failed to open /etc/samba/secrets.tdb
[2008/06/19 04:15:31, 0] nsswitch/winbindd.c:main(1010)
  Could not initialize domain trust account secrets. Giving up

/var/log/audit/audit.log:
type=AVC msg=audit(1213863331.771:20): avc:  denied  { write } for  pid=29943
comm="winbindd" name="secrets.tdb" dev=dm-0 ino=1590762
scontext=root:system_r:winbind_t tcontext=root:object_r:samba_etc_t tclass=file

type=SYSCALL msg=audit(1213863331.771:20): arch=80000016 syscall=5 success=no
exit=-13 a0=7fffef08 a1=8042 a2=180 a3=f7ddedb2 items=1 pid=29943
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="winbindd" exe="/usr/sbin/winbindd"

type=CWD msg=audit(1213863331.771:20):  cwd="/"

type=PATH msg=audit(1213863331.771:20): name="/etc/samba/secrets.tdb" flags=310
 inode=1590760 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00

Comment 1 Daniel Walsh 2008-06-22 11:57:23 UTC
If you run restorecon /etc/samba/* 

Does it fix the problem?

Comment 2 Petr Šplíchal 2008-06-23 10:12:37 UTC
Yes, using restorecon helped.

Comment 3 Daniel Walsh 2008-06-23 10:38:51 UTC
Not sure how this got mislabeled, you can try to use restorecond if you would
like to watch this file and maintain it's label.


Note You need to log in before you can comment on or make changes to this bug.