Re: SELinux preventing login (Fedora 16)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2012 10:07 PM, Braden McDaniel wrote:
> On Fri, 2012-04-13 at 10:31 -0400, Daniel J Walsh wrote:
> 
> [snip]
> 
>> Basically in Fedora 16 we turned off the ability for apps that did
>> getpw() from being able to connect to the ldap port, by default.  Turning
>> that boolean on, allows all domains that call getpw to connect to the
>> ldap port.  We turned this off because sssd now connects to ldap if it is
>> setup and apps calling getpw talk to sssd rather then ldap.  We have seen
>> some daemons (samba) that talk directly that we have broken with this
>> change, but I believe the fixes are going into Fedora now.
> 
Yes, It certainly looks like we should allow sambagui_t to access the ldap
server without turning on the boolean.


> Is this such an example?  I get this when using system-config-samba.
> 
> SELinux is preventing /usr/bin/python from open access on the chr_file
> urandom.
> 
> *****  Plugin catchall_boolean (47.5 confidence) suggests
> *******************
> 
> If you want to allow users to login using a sssd server Then you must tell
> SELinux about this by enabling the 'authlogin_nsswitch_use_ldap'boolean. 
> Do setsebool -P authlogin_nsswitch_use_ldap 1
> 
> *****  Plugin catchall_boolean (47.5 confidence) suggests
> *******************
> 
> If you want to enable reading of urandom for all domains. Then you must
> tell SELinux about this by enabling the 'global_ssp'boolean. Do setsebool
> -P global_ssp 1
> 
> *****  Plugin catchall (6.38 confidence) suggests
> ***************************
> 
> If you believe that python should be allowed open access on the urandom
> chr_file by default. Then you should report this as a bug. You can generate
> a local policy module to allow this access. Do allow this access for now by
> executing: # grep system-config-s /var/log/audit/audit.log | audit2allow -M
> mypol # semodule -i mypol.pp
> 
> Additional Information: Source Context
> system_u:system_r:sambagui_t:s0-s0:c0.c1023 Target Context
> system_u:object_r:urandom_device_t:s0 Target Objects                urandom
> [ chr_file ] Source                        system-config-s Source Path
> /usr/bin/python Port                          <Unknown> Host
> rail.endoframe.net Source RPM Packages
> python-2.7.2-5.2.fc16.x86_64 Target RPM Packages Policy RPM
> selinux-policy-3.10.0-80.fc16.noarch Selinux Enabled               True 
> Policy Type                   targeted Enforcing Mode
> Permissive Host Name                     rail.endoframe.net Platform
> Linux rail.endoframe.net 3.3.1-5.fc16.x86_64 #1 SMP Tue Apr 10 19:56:52 UTC
> 2012 x86_64 x86_64 Alert Count                   2 First Seen
> Mon 16 Apr 2012 06:49:45 PM EDT Last Seen                     Mon 16 Apr
> 2012 06:52:51 PM EDT Local ID
> 331208b1-df87-4aa1-bddf-60ae4685f12d
> 
> Raw Audit Messages type=AVC msg=audit(1334616771.522:793): avc:  denied  {
> open } for  pid=16042 comm="system-config-s" name="urandom" dev="devtmpfs"
> ino=1033 scontext=system_u:system_r:sambagui_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> 
> 
> type=SYSCALL msg=audit(1334616771.522:793): arch=x86_64 syscall=open
> success=yes exit=ECHILD a0=148c4d0 a1=0 a2=1ff a3=20 items=0 ppid=16041
> pid=16042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm=system-config-s exe=/usr/bin/python
> subj=system_u:system_r:sambagui_t:s0-s0:c0.c1023 key=(null)
> 
> Hash: system-config-s,sambagui_t,urandom_device_t,chr_file,open
> 
> audit2allow
> 
> #============= sambagui_t ============== #!!!! This avc can be allowed
> using one of the these booleans: #     authlogin_nsswitch_use_ldap,
> global_ssp
> 
> allow sambagui_t urandom_device_t:chr_file open;
> 
> audit2allow -R
> 
> #============= sambagui_t ============== #!!!! This avc can be allowed
> using one of the these booleans: #     authlogin_nsswitch_use_ldap,
> global_ssp
> 
> allow sambagui_t urandom_device_t:chr_file open;
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+NYc4ACgkQrlYvE4MpobMCiwCgysm2rDbGq/aA2fA5ig7SIH1S
xo4An1A2gqtY3pRPEY2vuUraGB8CS5/A
=StFz
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



Photo 4 Less

[Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Find Someone Special]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

Add to Google Powered by Linux