Bug 1224879

Summary: [SELinux] RHEL7:SMB:Update SELinux policies for samba in RHEL7.2
Product: Red Hat Enterprise Linux 7 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.1CC: annair, jkurik, lvrabec, mgrepl, mmalik, nlevinki, plautrba, pprakash, pvrabec, rcyriac, rhs-smb, rtalur, sbhaloth, ssekidde, storage-qa-internal
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-32.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1216941
: 1231942 (view as bug list) Environment:
Last Closed: 2015-11-19 10:35:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1216941    
Bug Blocks: 1212796, 1231942, 1236980, 1241095    
Attachments:
Description Flags
AVC logs
none
heart beat related denials?
none
mount related denials
none
ctdb service related
none
ctdb service related2
none
without samba install
none
AVC's none

Description Prasanth 2015-05-26 05:59:33 UTC 
+++ This bug was initially created as a clone of Bug #1216941 +++

Description of problem:

With selinux in enforcing mode, when we start the gluster volume , the samba start hook script fails to execute and dows not create share in smb.conf.

If we try to start smb service without using hook script the service smb start succeeds.

But if create a volume and start a volume after which it is expected that hook scripts will run and create samba share in smb.conf doesn't work and fails with following errors.

If the same test is run in permissive mode, the hook scripts executes successfully and share gets created in smb.conf

The error in glusterd logs are as follows:

[2015-04-29 06:30:16.070804] E [run.c:190:runner_log] (--> /lib64/libglusterfs.so.0(_gf_log_callingfn+0x186)[0x7f75bdd2c116] (--> /lib64/libglusterfs.so.0(runner_log+0xfc)[0x7f75bdd7919c] (--> /usr/lib64/glusterfs/3.7.0alpha0/xlator/mgmt/glusterd.so(glusterd_hooks_run_hooks+0x47a)[0x7f75b2c2a1ba] (--> /usr/lib64/glusterfs/3.7.0alpha0/xlator/mgmt/glusterd.so(+0xd0772)[0x7f75b2c2a772] (--> /lib64/libpthread.so.0(+0x7df5)[0x7f75bce9bdf5] ))))) 0-management: Failed to execute script: /var/lib/glusterd/hooks/1/start/post/S30samba-start.sh --volname=vol1 --first=yes --version=1 --volume-op=start --gd-workdir=/var/lib/glusterd


the AVC denials are as follows:
type=AVC msg=audit(1430289182.264:582): avc:  denied  { getattr } for  pid=29427 comm="glusterd" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file


type=AVC msg=audit(1430289157.013:580): avc:  denied  { execute } for  pid=29632 comm="glusterd" name="S30samba-start.sh" dev="dm-0" ino=488775 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file

type=AVC msg=audit(1430289156.998:579): avc:  denied  { execute } for  pid=29626 comm="glusterd" name="S29CTDBsetup.sh" dev="dm-0" ino=488774 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file

type=AVC msg=audit(1430289143.445:573): avc:  denied  { execute } for  pid=29576 comm="glusterd" name="S30samba-stop.sh" dev="dm-0" ino=135416758 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file



Version-Release number of selected component (if applicable):
samba-4.1.17-5.el7.centos.x86_64
glusterfs-3.7.0alpha0-0.17.gited96153.el7.centos.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Install RHEL7.1, Install RHS samba rpms, gluster bits
2.create a gluster volume 
3.start the volume
4.check if share is created in smb.conf

Actual results:
hook script fails to execute and samba share is not create din smb.conf


Expected results:
samba share should get created in smb.conf after a volume start.


Additional info:

Looks like execution of hook script and editing smb.conf is prevented by selinux.We need to resolve this.

--- Additional comment from RHEL Product and Program Management on 2015-05-12 13:53:53 EDT ---

This request has been proposed as a blocker, but a release flag has
not been requested. Please set a release flag to ? to ensure we may
track this bug against the appropriate upcoming release, and reset
the blocker flag to ?.
Comment 2 Miroslav Grepl 2015-06-10 14:34:34 UTC 
$ matchpathcon /var/lib/glusterd/hooks/*/*.sh
/var/lib/glusterd/hooks/*/*.sh	system_u:object_r:bin_t:s0
Comment 5 surabhi 2015-06-11 08:44:58 UTC 
Created attachment 1037555 [details]
AVC logs
Comment 6 Miroslav Grepl 2015-06-15 16:00:41 UTC 
I believe we have fixed most of these issues.

How does it look with the latest el7 policy?
Comment 8 Raghavendra Talur 2015-06-16 15:25:27 UTC 
Created attachment 1039536 [details]
heart beat related denials?
Comment 9 Raghavendra Talur 2015-06-16 15:26:33 UTC 
Created attachment 1039537 [details]
mount related denials
Comment 10 Raghavendra Talur 2015-06-16 15:27:11 UTC 
Created attachment 1039538 [details]
ctdb service related
Comment 11 Raghavendra Talur 2015-06-16 15:28:04 UTC 
Created attachment 1039539 [details]
ctdb service related2
Comment 12 Raghavendra Talur 2015-06-16 15:28:53 UTC 
Created attachment 1039540 [details]
without samba install
Comment 13 Miroslav Grepl 2015-06-16 15:30:06 UTC 
You should run

setsebool -P use_fusefs_home_dirs 1

to allow some of them.
Comment 14 Raghavendra Talur 2015-06-16 15:34:36 UTC 
I found 4 issues on performing the tests with the following selinux packages installed.

libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-28.el7.noarch
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-28.el7.noarch


Issues are:

1. Denials on starting ctdb service. see attachments audit.log.CtdbDenials and audit.log.CtdbDenialsAfterPermissive

2. Denials on performing a smb mount. see attachment audit.log.SmbdDenialOnCifsMount

3. Denials on ctdb probably because of ctdb heartbeats. see attachment audit.log.CtdbDenialForGetattr

4. One issue which may be just because I did not install Samba and tried to start ctdb service. I did not see this denials ever after installing Samba. Probably can be ignored.
See attachment audit.log.HookScriptDenialsBeforeSambaInstall.

Does this mean we will need one more update of policy.
Comment 15 Miroslav Grepl 2015-06-17 09:19:40 UTC 
I added net_admin for smbd_t. 

But you will need to run

setsebool -P use_fusefs_home_dirs 1

to allow to use FUSE.
Comment 16 Raghavendra Talur 2015-06-18 08:49:13 UTC 
Miroslav,

Is use_fusefs_home_dirs required just for ctdb to be able to use FUSE or even for user mounts?


Any way we can automate it with? Otherwise it would mean one more step in the admin guide while setting up ctdb.
Comment 17 Miroslav Grepl 2015-06-19 07:12:09 UTC 
Yes, it should be turn on by default by Gluster.

setsebool -P use_fusefs_home_dirs 1
Comment 18 surabhi 2015-06-25 11:22:23 UTC 
I see following AVC's on ctdb setup.

type=AVC msg=audit(06/25/2015 06:19:22.207:22288) : avc:  denied  { signull } for  pid=15386 comm=ctdbd scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process 
----

type=AVC msg=audit(06/25/2015 06:19:32.566:22290) : avc:  denied  { read } for  pid=16754 comm=iptables path=/var/lib/ctdb/iptables-ctdb.flock dev="dm-0" ino=67681652 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file
Comment 19 Lukas Vrabec 2015-06-30 14:35:34 UTC 
commit 2bbd5489d69d888a1c05e082e756543c1f0b3c08
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jun 30 14:54:15 2015 +0200

    Dontaudit ctbd_t sending signull to smbd_t.


commit 5cc206f8481d2a4b4ba7d267c3e0bf0f8203eaf8
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jun 30 13:19:15 2015 +0200

    Allow iptables to read ctdbd lib files.
Comment 20 surabhi 2015-07-03 06:40:16 UTC 
The AVC's mentioned in #C18 are resolved with the build 
selinux-policy-3.13.1-30.el7 , I see only AVC as follows:

type=AVC msg=audit(07/03/2015 01:30:25.839:154) : avc:  denied  { block_suspend } for  pid=31332 comm=smbd capability=block_suspend  scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability2 

We need to add this as well.
All other issues and AVC's are resolved.
Comment 26 Lukas Vrabec 2015-07-09 11:29:04 UTC 
commit 6bb5d0038eb282cadcac82e71d3c0304d43c7b44
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 9 13:24:07 2015 +0200

    Allow ctdbd sending signull to process winbind, samba_unconfined_net, to
    checking if processes exists.

commit 687a1df2816c9fcc5af7f301749c8014df0815eb
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 9 13:22:48 2015 +0200

    Dontaudit smbd_t block_suspend capability. This is kernel bug.

commit 763e30c40a7e03a46dfac511dcdde1de3e9232c6
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 9 13:16:21 2015 +0200

    Add interfaces winbind_signull(), samba_unconfined_net_signull().
Comment 27 surabhi 2015-07-15 07:32:09 UTC 
With SELinux policy build :

selinux-policy-targeted-3.13.1-32.el7.noarch
selinux-policy-3.13.1-32.el7.noarch

I am seeing following AVC's which were not seen in the earlier build.
Worked with Milos on the same and found that the rule 
allow ctdbd_t systemd_systemctl_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;  is present in .31el7 build but is missing from .32el7 build.
Comment 29 Lukas Vrabec 2015-07-15 08:05:06 UTC 
Could you attach AVCs?
Comment 30 surabhi 2015-07-15 08:11:02 UTC 
Created attachment 1052256 [details]
AVC's
Comment 31 surabhi 2015-07-15 09:01:16 UTC 
Also verified that after downgrading to .31 el7 ctdb nodes comes to OK state and no AVC's seen.
Comment 33 Lukas Vrabec 2015-07-15 12:42:53 UTC 
commit ce652d6c62c6d38d1dab05b862cecc863075d28c
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jul 15 14:01:16 2015 +0200

    Allow ctdbd_t send signull to samba_unconfined_net_t.

commit 4aea5f1b161c8e711f593cf123de3b155ba71229
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jul 15 14:00:39 2015 +0200

    Add samba_signull_unconfined_net()

commit 645b04ea4006f4f25f606662cdf9b526df7226e5
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jul 15 13:44:41 2015 +0200

    Add samba_signull_winbind()
Comment 34 surabhi 2015-07-16 05:13:23 UTC 
with the build selinux-policy-3.13.1-33.el7.noarch 
selinux-policy-targeted-3.13.1-33.el7.noarch

There is no AVC seen and all ctdb nodes comes to OK state after rebooting multiple nodes.

Need 7.1.z build for this bug.
Comment 38 errata-xmlrpc 2015-11-19 10:35:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html