Bug 1221929
| Summary: | [SELinux] Update SELinux policies for samba (connect and read access)in RHEL6.6 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | surabhi <sbhaloth> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.6 | CC: | dwalsh, jarrpa, lvrabec, mgrepl, mmalik, plautrba, pprakash, pvrabec, rcyriac, rtalur, sbhaloth, ssekidde, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-268.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-22 07:14:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1212796, 1215885 | ||
| Attachments: | |||
Created attachment 1026645 [details]
.pp and .te file
Created attachment 1026677 [details]
AVC's for samba
Any idea why
type=AVC msg=audit(1431930685.533:100): avc: denied { name_bind } for pid=6458 comm="smbd" src=1023 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
is needed.
Did you change it?
# find /var/lib/glusterd/ -type f -name \*.sh | xargs chcon -t bin_t
#
Above-mentioned command and following policy module solved majority of AVCs:
# cat mypolicy.te
module mypolicy 1.0;
require {
type gluster_port_t;
type glusterd_t;
type hi_reserved_port_t;
type smbd_t;
type sysctl_net_t;
type glusterd_conf_t;
type virt_migration_port_t;
class process signal;
class dir search;
class tcp_socket { name_bind name_connect };
class file { getattr open read };
}
allow glusterd_t smbd_t:process signal;
allow smbd_t gluster_port_t:tcp_socket name_connect;
allow smbd_t glusterd_conf_t:dir search;
allow smbd_t hi_reserved_port_t:tcp_socket name_bind;
allow smbd_t sysctl_net_t:dir search;
allow smbd_t sysctl_net_t:file { getattr open read };
allow smbd_t virt_migration_port_t:tcp_socket name_connect;
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted mypolicy module
/usr/bin/checkmodule: loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
# semodule -i mypolicy.pp
#
smbd always uses port 445. However, smbd loads libgfapi from gluster. This library picks up any free port starting from lowest port to highest. ( mostly 1 - 65535). This is not a default port number, it could very well be 980 or 5000. Created attachment 1026709 [details]
all denials caught in enforcing mode on the test machine
commit a30bb467a268e913e44c43a20d486a9e6ebba126
Author: Miroslav Grepl <mgrepl>
Date: Tue May 19 12:50:03 2015 +0200
Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
Regarding, Allow smbd to read gluster config files by default: Did you mean otherwise? Allow gluster to read smb config files by default? Because it is gluster scripts which edit smb.conf. Regarding, new boolean samba_load_libgfapi, I did not understand that. What does it do? Could you please test it with https://brewweb.devel.redhat.com/taskinfo?taskID=9198180 (In reply to Raghavendra Talur from comment #9) > Regarding, > Allow smbd to read gluster config files by default: > > Did you mean otherwise? Allow gluster to read smb config files by default? > Because it is gluster scripts which edit smb.conf. Well I don't see AVCs related to write access to smb.conf. Could you please re-test it with given rpms? > > > Regarding, > new boolean samba_load_libgfapi, I did not understand that. What does it do? We don't want to allow smbd_t to connect/bind to all ports. You need to turn samba_load_libgfapi boolean on to allow it. (In reply to Miroslav Grepl from comment #11) > (In reply to Raghavendra Talur from comment #9) > > Regarding, > > Allow smbd to read gluster config files by default: > > > > Did you mean otherwise? Allow gluster to read smb config files by default? > > Because it is gluster scripts which edit smb.conf. > > Well I don't see AVCs related to write access to smb.conf. Could you please > re-test it with given rpms? We will test and get back to you. > > > > > > > Regarding, > > new boolean samba_load_libgfapi, I did not understand that. What does it do? > > We don't want to allow smbd_t to connect/bind to all ports. You need to turn > samba_load_libgfapi boolean on to allow it. This makes sense. Thanks! Please use the following builds from https://brewweb.devel.redhat.com/taskinfo?taskID=9210928 Some AVCs appeared during the testing with -268.el6 policy. To get rid of them following changes were done:
1) via semanage and restorecon
/var/run/ctdb(/.*)? all files system_u:object_r:ctdbd_var_run_t:s0
2) via semodule
# cat mypolicy2.te
module mypolicy2 1.0;
require {
type samba_net_t;
type ctdbd_var_run_t;
type ctdbd_var_lib_t;
type iptables_t;
type smbd_t;
class sock_file { write getattr };
class file read;
}
allow iptables_t ctdbd_var_lib_t:file read;
allow samba_net_t ctdbd_var_run_t:sock_file { write getattr };
allow smbd_t ctdbd_var_run_t:sock_file write;
#
Tried the build provided in #C13 ,
The issues related to smb service start, mount of gluster volume and hooks script are not seen with the fix.
Saw following issues related to ctdb:
type=AVC msg=audit(05/20/2015 10:43:01.894:2553) : avc: denied { write } for pid=18849 comm=net name=ctdbd.socket dev=dm-0 ino=784872 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(05/20/2015 10:46:48.983:2584) : avc: denied { read } for pid=23139 comm=iptables path=/var/lib/ctdb/iptables-ctdb.flock dev=dm-0 ino=784906 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file
Worked with Milos and he provided temporary fix so was able to continue testing from there.
Any change to run it also in permissive mode? While running in permissive mode,stop of ctdb/smb service throws following AVC:
type=AVC msg=audit(05/20/2015 11:50:35.957:2659) : avc: denied { getattr } for pid=23451 comm=net path=/var/lib/ctdb/serverid.tdb.0 dev=dm-0 ino=784904 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file
Some AVCs appeared in permissive mode. Following rules were suggested by audit2allow:
allow samba_net_t ctdbd_t:unix_stream_socket connectto;
allow samba_net_t ctdbd_var_lib_t:file { write getattr setattr read lock open };
Created attachment 1027682 [details]
first we tested in enforcing mode and here are the AVCs
Created attachment 1027683 [details]
then we tested in permissive mode and here are the AVCs
Just hopping in to say LGTM! :) The rules look sane and correct. Created attachment 1028708 [details]
latest AVC's for smbd
Tried with build https://brewweb.devel.redhat.com/buildinfo?buildID=436995: Still see following AVC's: type=AVC msg=audit(05/26/2015 02:52:04.043:139) : avc: denied { write } for pid=8522 comm=net name=ctdbd.socket dev=dm-0 ino=654184 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(05/26/2015 02:52:04.045:140) : avc: denied { getattr } for pid=8522 comm=net path=/var/run/ctdb/ctdbd.socket dev=dm-0 ino=654184 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(05/26/2015 10:36:21.655:739) : avc: denied { search } for pid=26651 comm=smbd name=ctdb dev=dm-0 ino=261321 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=dir type=AVC msg=audit(05/26/2015 10:36:21.656:740) : avc: denied { open } for pid=26651 comm=smbd name=secrets.tdb.0 dev=dm-0 ino=532359 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file type=AVC msg=audit(05/26/2015 10:36:21.656:741) : avc: denied { lock } for pid=26651 comm=smbd path=/var/lib/ctdb/persistent/secrets.tdb.0 dev=dm-0 ino=532359 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file type=AVC msg=audit(05/26/2015 10:36:21.656:742) : avc: denied { getattr } for pid=26651 comm=smbd path=/var/lib/ctdb/persistent/secrets.tdb.0 dev=dm-0 ino=532359 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file With the latest build provided by selinux :
still seeing following AVC's:
type=AVC msg=audit(05/27/2015 12:14:28.880:2282) : avc: denied { write } for pid=5851 comm=smbd name=ctdbd.socket dev=dm-0 ino=532335 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(05/27/2015 12:14:28.880:2282) : avc: denied { search } for pid=5851 comm=smbd name=ctdb dev=dm-0 ino=532320 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_run_t:s0 tclass=dir
With the latest build provided today by Miroslav : https://brewweb.devel.redhat.com/buildinfo?buildID=437561 None of the AVC's are seen for gluster-samba. Verified with both enforcing mode and permissive mode. This is been verified on RHEL6.7. Need a backport for RHEL6.6 and fix is required for RHEL7.1 as well. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1375.html |
Description of problem: RHS is a layered product on top of RHEL that provides more advanced versions of Samba and CTDB (4.1.14 and 2.5.4, respectively, in the latest release). The SELinux policies should be extended to cover the needs of these versions (in addition to the current RHEL6.6 versions). On RHEL6.6 , the mount of gluster volume fails on cifs client because of following: SELinux is preventing /usr/sbin/smbd from read access on the file SELinux is preventing /usr/sbin/smbd from name_connect access on the tcp_socket The AVC's are as follows: type=AVC msg=audit(1430194961.550:7943): avc: denied { name_connect } for pid=25381 comm="smbd" dest=24007 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1430194961.550:7942): avc: denied { name_bind } for pid=25381 comm="smbd" src=1023 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1428576324.441:349): avc: denied { name_connect } for pid=14176 comm="smbd" dest=49152 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:virt_migration_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1428649951.586:1250): avc: denied { search } for pid=29022 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir