Re: SELinux preventing login (Fedora 16)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Fri, 2012-04-13 at 10:31 -0400, Daniel J Walsh wrote:

[snip]

> Basically in Fedora 16 we turned off the ability for apps that did getpw()
> from being able to connect to the ldap port, by default.  Turning that boolean
> on, allows all domains that call getpw to connect to the ldap port.  We turned
> this off because sssd now connects to ldap if it is setup and apps calling
> getpw talk to sssd rather then ldap.  We have seen some daemons (samba) that
> talk directly that we have broken with this change, but I believe the fixes
> are going into Fedora now.

Is this such an example?  I get this when using system-config-samba.

        SELinux is preventing /usr/bin/python from open access on the chr_file urandom.
        
        *****  Plugin catchall_boolean (47.5 confidence) suggests  *******************
        
        If you want to allow users to login using a sssd server
        Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap'boolean.
        Do
        setsebool -P authlogin_nsswitch_use_ldap 1
        
        *****  Plugin catchall_boolean (47.5 confidence) suggests  *******************
        
        If you want to enable reading of urandom for all domains.
        Then you must tell SELinux about this by enabling the 'global_ssp'boolean.
        Do
        setsebool -P global_ssp 1
        
        *****  Plugin catchall (6.38 confidence) suggests  ***************************
        
        If you believe that python should be allowed open access on the urandom chr_file by default.
        Then you should report this as a bug.
        You can generate a local policy module to allow this access.
        Do
        allow this access for now by executing:
        # grep system-config-s /var/log/audit/audit.log | audit2allow -M mypol
        # semodule -i mypol.pp
        
        Additional Information:
        Source Context                system_u:system_r:sambagui_t:s0-s0:c0.c1023
        Target Context                system_u:object_r:urandom_device_t:s0
        Target Objects                urandom [ chr_file ]
        Source                        system-config-s
        Source Path                   /usr/bin/python
        Port                          <Unknown>
        Host                          rail.endoframe.net
        Source RPM Packages           python-2.7.2-5.2.fc16.x86_64
        Target RPM Packages           
        Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
        Selinux Enabled               True
        Policy Type                   targeted
        Enforcing Mode                Permissive
        Host Name                     rail.endoframe.net
        Platform                      Linux rail.endoframe.net 3.3.1-5.fc16.x86_64 #1
                                      SMP Tue Apr 10 19:56:52 UTC 2012 x86_64 x86_64
        Alert Count                   2
        First Seen                    Mon 16 Apr 2012 06:49:45 PM EDT
        Last Seen                     Mon 16 Apr 2012 06:52:51 PM EDT
        Local ID                      331208b1-df87-4aa1-bddf-60ae4685f12d
        
        Raw Audit Messages
        type=AVC msg=audit(1334616771.522:793): avc:  denied  { open } for  pid=16042 comm="system-config-s" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:sambagui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
        
        
        type=SYSCALL msg=audit(1334616771.522:793): arch=x86_64 syscall=open success=yes exit=ECHILD a0=148c4d0 a1=0 a2=1ff a3=20 items=0 ppid=16041 pid=16042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=system-config-s exe=/usr/bin/python subj=system_u:system_r:sambagui_t:s0-s0:c0.c1023 key=(null)
        
        Hash: system-config-s,sambagui_t,urandom_device_t,chr_file,open
        
        audit2allow
        
        #============= sambagui_t ==============
        #!!!! This avc can be allowed using one of the these booleans:
        #     authlogin_nsswitch_use_ldap, global_ssp
        
        allow sambagui_t urandom_device_t:chr_file open;
        
        audit2allow -R
        
        #============= sambagui_t ==============
        #!!!! This avc can be allowed using one of the these booleans:
        #     authlogin_nsswitch_use_ldap, global_ssp
        
        allow sambagui_t urandom_device_t:chr_file open;


-- 
Braden McDaniel <braden@xxxxxxxxxxxxx>

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



Photo 4 Less

[Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Find Someone Special]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

Add to Google Powered by Linux