Bug 1218902

Summary: [SELinux] [SMB]: RHEL7.1- SELinux policy for all AVC's on Samba and CTDB
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: surabhi <sbhaloth>
Component: sambaAssignee: Jose A. Rivera <jarrpa>
Status: CLOSED ERRATA QA Contact: surabhi <sbhaloth>
Severity: urgent Docs Contact:
Priority: urgent    
Version: rhgs-3.1CC: nlevinki, pprakash, rjoseph, vagarwal
Target Milestone: ---   
Target Release: RHGS 3.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: SELinux
Fixed In Version: selinux-policy-3.13.1-23.el7_1.12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 04:42:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1202842, 1212796    

Description surabhi 2015-05-06 07:32:11 UTC 
Description of problem:

Mount fails on smb client when selinux is running in enforcing mode.

Error:
****************************

mount -t cifs :/gluster-vol1 /mnt/cifs
WARNING: using NFS syntax for mounting CIFS shares is deprecated and will be removed in cifs-utils-6.0. Please migrate to UNC syntax.
Password: 
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Logs:
****************************
Apr 29 04:27:12 dhcp159-232.sbu.lab.eng.bos.redhat.com smbd[30091]: STATUS=daemon 'smbd' finished starting up and ready to serve connectionsvol1: Failed to initialize volume (Transport endpoint is not connected)
Apr 29 04:27:13 dhcp159-232.sbu.lab.eng.bos.redhat.com smbd[30091]: [2015/04/29 04:27:13.074392,  0] ../source3/smbd/service.c:670(make_connection_snum)
Apr 29 04:27:13 dhcp159-232.sbu.lab.eng.bos.redhat.com smbd[30091]: make_connection: VFS make connection failed!


AVC:
********************************
type=AVC msg=audit(1430296032.091:611): avc:  denied  { name_connect } for  pid=30091 comm="smbd" dest=24007 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1430296032.091:612): avc:  denied  { block_suspend } for  pid=30096 comm="smbd" capability=36  scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability2

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Version-Release number of selected component (if applicable):
samba-4.1.17-5.el6.x86_64


How reproducible:
******************
Always

Steps to Reproduce:
*******************
1.Setup samba on RHEL7 , create a volume, 
2. mount it on smb client 
3. check logs

Actual results:
*****************
Mount fails with I/O error.got AVC denials.

Expected results:
******************
Mount should not fail.


Additional info:

When tried in permissive mode, mount succeeds.
Comment 4 surabhi 2015-06-25 11:19:34 UTC 
On a ctdb setup on RHEL7.1 , I still see following AVC's.

type=SYSCALL msg=audit(06/25/2015 06:19:22.207:22288) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x3e08 a1=SIG0 a2=0x0 a3=0x0 items=0 ppid=1 pid=15386 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ctdbd exe=/usr/sbin/ctdbd subj=system_u:system_r:ctdbd_t:s0 key=(null) 
type=AVC msg=audit(06/25/2015 06:19:22.207:22288) : avc:  denied  { signull } for  pid=15386 comm=ctdbd scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process 
----
type=SYSCALL msg=audit(06/25/2015 06:19:32.566:22290) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fff1c104608 a1=0x7fff1c1049c8 a2=0x7fff1c104a18 a3=0x7fff1c104440 items=0 ppid=16753 pid=16754 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(06/25/2015 06:19:32.566:22290) : avc:  denied  { read } for  pid=16754 comm=iptables path=/var/lib/ctdb/iptables-ctdb.flock dev="dm-0" ino=67681652 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file
Comment 5 surabhi 2015-07-20 08:54:10 UTC 
With the policy build 
selinux-policy-3.13.1-23.el7_1.10.noarch
selinux-policy-targeted-3.13.1-23.el7_1.10.noarch
I still see AVC's in the the logs.

type=AVC msg=audit(07/20/2015 03:29:05.507:1188) : avc:  denied  { block_suspend } for  pid=16066 comm=smbd capability=block_suspend  scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability2
type=AVC msg=audit(07/20/2015 03:29:05.512:1189) : avc:  denied  { net_admin } for  pid=16066 comm=smbd capability=net_admin  scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability 

The fixes are in the build selinux-policy-3.13.1-33.el7 of RHEL7.2 which needs to be backported to RHEL7.1.z.
Moving the bz to assigned until we get a new selinux policy build for RHEL7.1.z
Comment 6 surabhi 2015-07-21 09:17:55 UTC 
After updating to selinux policy selinux-policy-3.13.1-23.el7_1.12 , performing ctdb setup, ctdb failover cases and AD integration, all works fine and there are no AVC's seen on RHEL7 based RHGS ISO.

Moving the BZ to verified.
Comment 7 errata-xmlrpc 2015-07-29 04:42:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html