Bug 1241360
Summary: | [SELinux]: Issues in setting up Windows Active directory with samba and access of share denied using domain users (RHEL-6.7) | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Prasanth <pprakash> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 6.7 | CC: | annair, dwalsh, lvrabec, mgrepl, mmalik, nlevinki, plautrba, pprakash, pvrabec, rcyriac, rhs-smb, rtalur, sankarshan, sbhaloth, ssekidde, storage-qa-internal, tlavigne | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 1240198 | |||
: | 1249033 (view as bug list) | Environment: | ||
Last Closed: | 2016-05-10 19:58:48 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1202842, 1212796, 1240198, 1249033 |
Description
Prasanth
2015-07-09 06:32:20 UTC
I see lot many fixes already present in RHEL7 and I don't see these issues in RHEL7. Is it possible that we back-port the fixes for smb , nmb and winbind processes to RHEL6.7.z so that we have all the fixes in place and don't see any issues further. policy_module(bz1240198,1.0) require { type nmbd_t; type smbd_t; type winbind_var_run_t; type smbd_var_run_t; class dir { read write create add_name remove_name }; class file { write lock create unlink getattr open read }; class sock_file { create unlink }; } allow nmbd_t winbind_var_run_t:dir { read write create add_name remove_name}; allow nmbd_t winbind_var_run_t:file { write lock create unlink getattr open read }; allow nmbd_t winbind_var_run_t:sock_file { create unlink }; allow smbd_t winbind_var_run_t:dir { read write create add_name remove_name }; allow smbd_t winbind_var_run_t:file { write lock create unlink getattr open read }; allow nmbd_t smbd_var_run_t:file { write lock create unlink getattr open read }; allow nmbd_t smbd_var_run_t:dir { read write create add_name remove_name }; allow nmbd_t smbd_var_run_t:sock_file { create unlink }; local policy that worked. We will need to backport a part of samba policy from 7.2. This local policy is not correct. It creates pid files with incorrect labeling. Could we test it with policy_module(bz1240198,1.1) require { type nmbd_t; type smbd_t; type winbind_var_run_t; type smbd_var_run_t; type winbind_t; type nmbd_var_run_t; } manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file }) files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file }) filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) Ok and could you add additional rule filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file }) Here are the PID files after starting smb, nmb and winbind services. # ls -Z /var/run/samba/ drwxr-xr-x. root root unconfined_u:object_r:smbd_var_run_t:s0 ncalrpc -rw-r--r--. root root unconfined_u:object_r:smbd_var_run_t:s0 smbd.pid drwxr-xr-x. root root unconfined_u:object_r:smbd_var_run_t:s0 winbindd -rw-r--r--. root root unconfined_u:object_r:smbd_var_run_t:s0 winbindd.pid # After retesting in permissive mode, audit2allow says that we need following rules: allow nmbd_t nmbd_var_run_t:sock_file { create unlink }; allow nmbd_t smbd_var_run_t:file { write read lock create unlink open }; # rpm -qa samba\* samba-libs-4.1.17-7.el6rhs.x86_64 samba-4.1.17-7.el6rhs.x86_64 samba-vfs-glusterfs-4.1.17-7.el6rhs.x86_64 samba-winbind-modules-4.1.17-7.el6rhs.x86_64 samba-winbind-clients-4.1.17-7.el6rhs.x86_64 samba-common-4.1.17-7.el6rhs.x86_64 samba-winbind-4.1.17-7.el6rhs.x86_64 samba-client-4.1.17-7.el6rhs.x86_64 # The samba services store their PID files in /var/run/samba. Seen on the same machine (3.7.19-279.el6): # restorecon -Rv /var/restorecon reset /var/run/samba/nmbd context unconfined_u:object_r:nmbd_var_run_t:s0->unconfined_u:object_r:smbd_var_run_t:s0 restorecon reset /var/run/samba/nmbd/unexpected context unconfined_u:object_r:nmbd_var_run_t:s0->unconfined_u:object_r:smbd_var_run_t:s0 # (In reply to Milos Malik from comment #10) > Here are the PID files after starting smb, nmb and winbind services. > > # ls -Z /var/run/samba/ > drwxr-xr-x. root root unconfined_u:object_r:smbd_var_run_t:s0 ncalrpc > -rw-r--r--. root root unconfined_u:object_r:smbd_var_run_t:s0 smbd.pid > drwxr-xr-x. root root unconfined_u:object_r:smbd_var_run_t:s0 winbindd > -rw-r--r--. root root unconfined_u:object_r:smbd_var_run_t:s0 winbindd.pid > # > > After retesting in permissive mode, audit2allow says that we need following > rules: > > allow nmbd_t nmbd_var_run_t:sock_file { create unlink }; > allow nmbd_t smbd_var_run_t:file { write read lock create unlink open }; Milos, did you tested with a local rules which I suggested? After applying of suggested local module, following AVC appeared in enforcing mode and nmbd process was not running even if I started it many times: ---- type=PATH msg=audit(07/27/2015 16:36:23.676:278) : item=1 name=/var/run/samba/nmbd/unexpected inode=1076 dev=fc:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:smbd_var_run_t:s0 nametype=DELETE type=PATH msg=audit(07/27/2015 16:36:23.676:278) : item=0 name=/var/run/samba/nmbd/ inode=33157 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:smbd_var_run_t:s0 nametype=PARENT type=CWD msg=audit(07/27/2015 16:36:23.676:278) : cwd=/ type=SYSCALL msg=audit(07/27/2015 16:36:23.676:278) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7f470169f720 a1=0x0 a2=0x7f470169ec30 a3=0x1f items=2 ppid=1 pid=25029 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=6 comm=nmbd exe=/usr/sbin/nmbd subj=unconfined_u:system_r:nmbd_t:s0 key=(null) type=AVC msg=audit(07/27/2015 16:36:23.676:278) : avc: denied { unlink } for pid=25029 comm=nmbd name=unexpected dev=vda3 ino=1076 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:smbd_var_run_t:s0 tclass=sock_file ---- FYI: comment#15 is related to local policy module mentioned in comment#4. I also see similar AVC's after applying local policy mentioned in #C4. The policy mentioned in #C14 works fine. Ok we have /var/run/samba/nmbd/ mislabeled. Does -filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file }) +filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file dir }) help? (In reply to surabhi from comment #17) > I also see similar AVC's after applying local policy mentioned in #C4. > The policy mentioned in #C14 works fine. The problem with this local policy is it places files with wrong labeling. policy_module(bz1240198,1.1) require { type nmbd_t; type smbd_t; type winbind_var_run_t; type smbd_var_run_t; type winbind_t; type nmbd_var_run_t; } manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file }) files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file }) filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file dir }) Any chance to re-test it with this policy? Verified using the new local policy that no avc is seen in logs. Able to connect to Shares using Domain users and smbclient. After updating the selinux policy to selinux-policy-3.7.19-279.el6_7.3.noarch selinux-policy-targeted-3.7.19-279.el6_7.3.noarch I don't see any AVC's related to winbind, smbd, nmbd and able to setup Active directory and samba server is able to join domain. The functionality works fine, domain user is able to login and do fops. But I see only one AVC as follows: type=AVC msg=audit(08/04/2015 10:32:34.646:1366) : avc: denied { search } for pid=5343 comm=sshd name=samba dev=dm-0 ino=1177567 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir type=AVC msg=audit(08/04/2015 12:13:56.464:2106) : avc: denied { search } for pid=7059 comm=sshd name=samba dev=dm-0 ino=1177567 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir ---- type=SYSCALL msg=audit(08/04/2015 12:14:01.387:2124) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7f05c47ac9f1 a1=0x7ffd2d918460 a2=0x7ffd2d918460 a3=0x1 items=0 ppid=7059 pid=7073 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=323 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/04/2015 12:14:01.387:2124) : avc: denied { search } for pid=7073 comm=sshd name=samba dev=dm-0 ino=1177567 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir ---- type=SYSCALL msg=audit(08/04/2015 12:14:56.008:2140) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7f49be8b79f1 a1=0x7fffcd1873a0 a2=0x7fffcd1873a0 a3=0x7fffcd189870 items=0 ppid=2043 pid=7096 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/04/2015 12:14:56.008:2140) : avc: denied { search } for pid=7096 comm=sshd name=samba dev=dm-0 ino=1177567 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0763.html |