fedora-list Digest, Vol 10, Issue 384

Fri Dec 24 18:25:02 UTC 2004

I have just applied the latest updates to a Fedora Core 3 box using 
up2date -uf.
This server runs Samba and is configured to integrate with an Active 
Directory domain.
Soon after the upgrade users started complaining that there where no 
more able to gain access to shared resources.

I have checked /var/log/messages and I have found those errors:
Dec 24 18:07:27 sbifs01 kernel: audit(1103908047.911:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:27 sbifs01 kernel: audit(1103908047.913:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:27 sbifs01 kernel: audit(1103908047.913:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:27 sbifs01 kernel: audit(1103908047.914:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:27 sbifs01 last message repeated 2 times
Dec 24 18:07:27 sbifs01 kernel: audit(1103908047.915:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:27 sbifs01 kernel: audit(1103908047.916:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:27 sbifs01 kernel: audit(1103908047.917:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:28 sbifs01 kernel: audit(1103908048.054:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:28 sbifs01 kernel: audit(1103908048.055:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file
Dec 24 18:07:28 sbifs01 kernel: audit(1103908048.056:0): avc:  denied  { 
append } for  pid=3285 exe=/usr/sbin/winbindd name=winbindd.log dev=md0 
ino=38153 sco
ntext=root:system_r:winbind_t tcontext=user_u:object_r:var_log_t tclass=file

I realized that this problem should be related to the latest SELinux 
policies, I have checked which one is installed and I have found 
selinux-policy-targeted-1.17.30-2.58
Not knowing enough about SELinux policy, how are released, how are 
designed and how to edit AND having services to provide to users I have 
temporarelly disabled SELinux setting "permissive" in /etc/selinux/config

Now I would like to get somebody else opinion about this problem, it's 
that a mistake of who designed policies? It's quite normal and the 
server administrator must appropriatelly edit policies?

Any suggestion will be greatly appreciated

Thanks
Gianni Bragante