windbindd.log & snmpd not playing well with selinux

Daniel J Walsh dwalsh at redhat.com
Mon Aug 22 14:43:36 UTC 2005


Craig wrote:

>The other day I rebooted my pc to check on the new configuration
>(adding/removing) of services. Although the reboot wasn't _necessary_, I
>wanted to see what effect the changes in booted services would do to the
>bootup time. Unfortunately, I forgot about an earlier selinux problem I
>had that required an ".autolabel" reboot of the system & have had some
>interesting issues with windbind & snmpd. I am running the following
>selinux packages:
>
>libselinux-1.19.1-8.i386.rpm
>libselinux-devel-1.19.1-8.i386.rpm
>selinux-doc-1.14.1-1.noarch.rpm
>selinux-policy-targeted-1.17.30-3.16.noarch.rpm
>
>I have looked at the bugzilla logs and these issues are entirely
>separate from those mentioned (or at least they seem to be different to
>me). First, the snmpd service will not start because it is being denied
>by selinux:
>
>Aug 13 07:22:13 wowway kernel: audit(1123932133.514:20): avc:  denied  {
>execmem } for  pid=8352 comm="snmpd" scontext=root:system_r:snmpd_t
>tcontext=root:system_r:snmpd_t tclass=process
>Aug 13 18:18:35 wowway kernel: audit(1123971515.257:21): avc:  denied  {
>execmem } for  pid=10368 comm="snmpd" scontext=root:system_r:snmpd_t
>tcontext=root:system_r:snmpd_t tclass=process
>
>It was only after the searching the System log for avc denials that I
>came across the windbind problem which, to my knowledge, has not
>affected my ability to access shared mounts or the the printer connected
>to my linux box. Apparently, selinux is not allowing windbind to append
>or write to the windbindd.log:
>
>Aug 12 19:46:12 wowway kernel: audit(1123890372.244:2): avc:  denied  {
>execmem } for  pid=3873 comm="snmpd" scontext=user_u:system_r:snmpd_t
>tcontext=user_u:system_r:snmpd_t tclass=process
>Aug 12 19:46:25 wowway kernel: audit(1123890385.354:3): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.355:4): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.355:5): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.355:6): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.355:7): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.355:8): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.355:9): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.355:10): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.355:11): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.392:12): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.392:13): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.392:14): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.414:15): avc:  denied  {
>write } for  pid=4120 comm="winbindd" name="secrets.tdb" dev=dm-2
>ino=345283 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:etc_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.415:16): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.415:17): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.415:18): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>Aug 12 19:46:25 wowway kernel: audit(1123890385.415:19): avc:  denied  {
>append } for  pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
>ino=1641389 scontext=user_u:system_r:winbind_t
>tcontext=root:object_r:var_log_t tclass=file
>
>I admit that I have not had time to delve into selinux context
>structures and rules, but these denials seem to be different, at least
>so far as I can tell, from what has been reported. Please let me know if
>there is any further information that can / need to provide.
>
>Craig
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>
restorecon -v /var/log/windbindd.log
restorecon -v /etc/samba/secrets.tdb
Not sure what is causing the execmem for snmpd though.


-- 





More information about the fedora-selinux-list mailing list