| 1 |
I'm trying to track down a bunch of AVC denials related to winbindd on |
| 2 |
one of our file servers, and I'm confused as to how winbindd is supposed |
| 3 |
to work with SELinux. Specifically, it looks like the UNIX pipe used to |
| 4 |
talk to winbindd is in a different place on my system than SELinux |
| 5 |
expects to find it. |
| 6 |
|
| 7 |
I have a pipe in /tmp/.winbindd/pipe which was labelled winbind_tmp_t. |
| 8 |
However, when I check the file_contexts file, and the .fc files from the |
| 9 |
reference policy, I don't see any mention of /tmp/.winbindd. So my |
| 10 |
first question is, how is this file getting a label that doesn't seem to |
| 11 |
exist in the policy? |
| 12 |
|
| 13 |
More importantly, the interface file for samba includes an interface |
| 14 |
macro to grant access to winbind's communication pipe, but it looks like |
| 15 |
this: |
| 16 |
|
| 17 |
interface(`samba_stream_connect_winbind',` |
| 18 |
gen_require(` |
| 19 |
type samba_var_t, winbind_t, winbind_var_run_t; |
| 20 |
') |
| 21 |
|
| 22 |
files_search_pids($1) |
| 23 |
allow $1 samba_var_t:dir search_dir_perms; |
| 24 |
|
| 25 |
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) |
| 26 |
') |
| 27 |
|
| 28 |
I don't see any mention of winbind_tmp_t there, but I do see |
| 29 |
winbind_var_run_t. I've also seen other posts to this list that seem to |
| 30 |
indicate winbind creates it's UNIX pipe in /var/run/winbindd, which *is* |
| 31 |
listed in file_contexts but isn't anywhere on my system. The |
| 32 |
documentation for samba also makes no mention of /var/run/winbindd, but |
| 33 |
does specifically mention /tmp/.winbindd. |
| 34 |
|
| 35 |
Is there something I missed when installing samba, or some setting for |
| 36 |
winbindd that I overlooked? |
| 37 |
|
| 38 |
Thanks for any help, |
| 39 |
|
| 40 |
--Mike |
| 41 |
-- |
| 42 |
gentoo-hardened@l.g.o mailing list |
Archives