Bug 1215885

Summary: [SELinux] SMB: WIth selinux in enforcing mode the mount to a gluster volume on cifs fails with i/o error.
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: surabhi <sbhaloth>
Component: sambaAssignee: Jose A. Rivera <jarrpa>
Status: CLOSED ERRATA QA Contact: surabhi <sbhaloth>
Severity: urgent Docs Contact:
Priority: urgent    
Version: rhgs-3.1CC: annair, asrivast, mgrepl, mmalik, nlevinki, pprakash, rcyriac, rhs-smb, rjoseph, sbhaloth, vagarwal
Target Milestone: ---   
Target Release: RHGS 3.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: SELinux
Fixed In Version: selinux-policy-3.7.19-271.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 04:42:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1221929    
Bug Blocks: 1202842, 1212796    
Attachments:
Description Flags
AVC's for virt_migration and sysctl_net none

Description surabhi 2015-04-28 05:18:15 UTC 
Description of problem:

While mounting a volume on linux cifs client or accessing the share via windows client fails when selinux is set to enforcing mode.

mount -t cifs serverip:/gluster-vol2 /mnt/samba/vol2
WARNING: using NFS syntax for mounting CIFS shares is deprecated and will be removed in cifs-utils-6.0. Please migrate to UNC syntax.
Password: 
mount error(5): Input/output error

snippet from avc logs:

type=AVC msg=audit(1430194961.550:7943): avc:  denied  { name_connect } for  pid=25381 comm="smbd" dest=24007 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=tcp_socket


type=AVC msg=audit(1430194961.550:7942): avc:  denied  { name_bind } for  pid=25381 comm="smbd" src=1023 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1430194961.550:7942): arch=c000003e syscall=49 success=no exit=-13 a0=22 a1=7fb5242c3150 a2=10 a3=726f702064657672 items=0 ppid=25113 pid=25381 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1187 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Do samba setup, create a volume , set selinux to enforcing mode
2. mount volume on cifs client or try accesing the share from windows client
3. 

Actual results:

Mount fails with input/output error.
AVC denied messages for smb to connect to port 24007


Expected results:
mount should succeed.no avc denials for connect should be present.


Additional info:
Comment 2 Prasanth 2015-04-28 12:42:08 UTC 
Surabhi,

Thanks for sharing your test system. I've gone through the logs and did some basic troubleshooting around this issue and was able to narrow down to the issues given below that caused the mount to fail:

####
SELinux is preventing /usr/sbin/smbd from read access on the file

SELinux is preventing /usr/sbin/smbd from name_connect access on the tcp_socket
####

To unblock you temporarily, I've generated a couple of local policy modules and applied on your system. After activating those policy packages [1] and [2], I was able to successfully mount the volume. See below:

########
[root@dhcp ]# semodule -i mypol2.pp
[root@dhcp ]# mount -t cifs 10.16.159.154:/gluster-vol2 /mnt/samba/vol2
WARNING: using NFS syntax for mounting CIFS shares is deprecated and will be removed in cifs-utils-6.0. Please migrate to UNC syntax.
Password: 
[root@dhcp ]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_dhcp159154-lv_root
                       43G  8.1G   33G  20% /
tmpfs                  16G     0   16G   0% /dev/shm
/dev/vda1             477M   64M  389M  14% /boot
/dev/mapper/RHS_vg1-RHS_lv1
                       98G  560M   97G   1% /rhs/brick1
10.16.159.154:/gluster-vol2
                      389G  3.2G  386G   1% /mnt/samba/vol2
########


Local policy modules:

[1]
-----------
module mypol1 1.0;

require {
        type sysctl_net_t;
        type gluster_port_t;
        type smbd_t;
        class tcp_socket name_connect;
        class dir search;
}

#============= smbd_t ==============
allow smbd_t gluster_port_t:tcp_socket name_connect;
allow smbd_t sysctl_net_t:dir search;
-----------

[2]
-----------
module mypol2 1.0;

require {
        type sysctl_net_t;
        type smbd_t;
        type virt_migration_port_t;
        class tcp_socket name_connect;
        class file read;
}

#============= smbd_t ==============
allow smbd_t sysctl_net_t:file read;
allow smbd_t virt_migration_port_t:tcp_socket name_connect;
-----------

Please try running your rest of your tests in the same system and do let me know if you are able to proceed further or it fails elsewhere.


PS: Please note that these are just temporary local policy modules generated just to unblock your testing and hence please don't consider it as a permanent solution until you hear from the devel and SELinux teams. You should be definitely getting a proper fix for this issue soon from the samba devel or SELinux team.

Thanks,
Prasanth
Comment 3 Milos Malik 2015-04-29 11:26:11 UTC 
The local policy modules are OK, but I would like to see the AVCs which contain virt_migration_port_t and sysctl_net_t. Could you attach them?
Comment 4 Miroslav Grepl 2015-05-15 09:04:44 UTC 
Also could you create a policy bug for them?
Comment 5 surabhi 2015-05-15 09:12:26 UTC 
The AVC logs are as follows:

type=AVC msg=audit(1428576324.441:349): avc:  denied  { name_connect } for  pid=14176 comm="smbd" dest=49152 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:virt_migration_port_t:s0 tclass=tcp_socket


type=AVC msg=audit(1428649951.586:1250): avc:  denied  { search } for  pid=29022 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

Creating policy bug.
Comment 6 surabhi 2015-05-15 09:20:52 UTC 
Created attachment 1025720 [details]
AVC's for virt_migration and sysctl_net
Comment 7 Miroslav Grepl 2015-05-15 09:30:12 UTC 
(In reply to Miroslav Grepl from comment #4)
> Also could you create a policy bug for them?

I meant this comment.
Comment 8 surabhi 2015-05-15 09:36:11 UTC 
Created BZ 1221929. Let me know if you need any other info in the bug.
Comment 9 surabhi 2015-05-25 09:38:49 UTC 
As per selinux dev the fix for this is to be done while building rpm for samba for rhgs.
The following boolean is to be set:
set boolean Setsebool -P samba_load_libgfapi 1.
Comment 10 surabhi 2015-06-08 13:18:12 UTC 
Install RHEl6.7, Install downstream gluster rpms,
Install latest samba rpms's 
install selinux latest rpms: selinux-policy-3.7.19-271.el6

start a volume , mount it on cifs.
There are no AVC's seen related to smb and mount succeeded.
Marking the BZ to verified.
Comment 11 errata-xmlrpc 2015-07-29 04:42:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html