Bug 1241360

Summary:	[SELinux]: Issues in setting up Windows Active directory with samba and access of share denied using domain users (RHEL-6.7)
Product:	Red Hat Enterprise Linux 6	Reporter:	Prasanth <pprakash>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	6.7	CC:	annair, dwalsh, lvrabec, mgrepl, mmalik, nlevinki, plautrba, pprakash, pvrabec, rcyriac, rhs-smb, rtalur, sankarshan, sbhaloth, ssekidde, storage-qa-internal, tlavigne
Target Milestone:	rc	Keywords:	ZStream
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	1240198
Clones:	1249033 (view as bug list)		Environment:
Last Closed:	2016-05-10 19:58:48 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1202842, 1212796, 1240198, 1249033

Description Prasanth 2015-07-09 06:32:20 UTC

+++ This bug was initially created as a clone of Bug #1240198 +++

Description of problem:
***************************************
When SELinux is set to enforcing mode, with windows active directory setup for samba and gluster , the domain user fails to access the samba share because of improper permission/context settings for winbind and nmbd processes.

The server is able to join domain but not consistently and sometimes it fails to list domain users.

Following AVC's are present in audit log:

type=AVC msg=audit(07/06/2015 03:01:20.719:20011) : avc:  denied  { lock } for  pid=15334 comm=smbd path=/var/run/samba/smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { create } for  pid=15334 comm=smbd name=ncalrpc scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { add_name } for  pid=15334 comm=smbd name=ncalrpc scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { write } for  pid=15334 comm=smbd name=samba dev=dm-0 ino=1574523 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { write open } for  pid=15362 comm=nmbd name=nmbd.pid dev=dm-0 ino=1574567 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 


type=AVC msg=audit(07/06/2015 03:01:25.131:20013) : avc:  denied  { lock } for  pid=15362 comm=nmbd path=/var/run/samba/nmbd.pid dev=dm-0 ino=1574567 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 

type=AVC msg=audit(07/06/2015 03:01:25.147:20014) : avc:  denied  { create } for  pid=15362 comm=nmbd name=nmbd scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 

type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { add_name } for  pid=15362 comm=nmbd name=nmbd.pid scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 

type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { write } for  pid=15362 comm=nmbd name=samba dev=dm-0 ino=1574523 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir



Version-Release number of selected component (if applicable):
samba-4.1.17-7.el6rhs.x86_64

How reproducible:
Tried once

Steps to Reproduce:
1.Windows Active directory setup to verify domain join and access of share to domain users.
2. Setup as per documentation , join domain
3. Access the share from logging in as domain user

Actual results:
The access to share fails with the domain user login and AVC's seen w.r.t permissions for winbind nmb and smb process.

Expected results:
*****************************
Access of share should be successful and tehre should not be any AVC's.


Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-07-06 03:49:07 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

--- Additional comment from surabhi on 2015-07-06 03:52:46 EDT ---



--- Additional comment from RHEL Product and Program Management on 2015-07-06 08:21:12 EDT ---

This bug report previously had all acks and release flag approved.
However since at least one of its acks has been changed, the
release flag has been reset to ? by the bugbot (pm-rhel).  The
ack needs to become approved before the release flag can become
approved again.

--- Additional comment from Rejy M Cyriac on 2015-07-06 10:37:48 EDT ---

Accepted as Blocker as per decision at RHGS 3.1 Blocker BZ Status Check meeting on 06 July 2015

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-07-06 10:40:23 EDT ---

Since this bug has been approved for the Red Hat Gluster Storage 3.1.0 release, through release flag 'rhgs-3.1.0+', the Target Release is being automatically set to 'RHGS 3.1.0'

--- Additional comment from Milos Malik on 2015-07-07 05:51:48 EDT ---

Non-beaker task form of local policy follows:

# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { write create add_name };
  class file { write lock create open };
  class sock_file { create };
}

allow nmbd_t winbind_var_run_t:dir { write create add_name };
allow nmbd_t winbind_var_run_t:file { write lock create open };
allow nmbd_t winbind_var_run_t:sock_file { create };
allow smbd_t winbind_var_run_t:dir { write create add_name };
allow smbd_t winbind_var_run_t:file { write lock create open };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#

--- Additional comment from Milos Malik on 2015-07-07 05:55:28 EDT ---

Here is the beaker task form of local policy:

--task "! echo -en 'policy_module(bz1240198,1.0)\n\nrequire {\n  type nmbd_t;\n  type smbd_t;\n  type winbind_var_run_t;\n  class dir { write create add_name };\n  class file { write lock create open };\n  class sock_file { create };\n}\n\nallow nmbd_t winbind_var_run_t:dir { write create add_name };\nallow nmbd_t winbind_var_run_t:file { write lock create open };\nallow nmbd_t winbind_var_run_t:sock_file { create };\nallow smbd_t winbind_var_run_t:dir { write create add_name };\nallow smbd_t winbind_var_run_t:file { write lock create open };\n\n' > bz1240198.te ; make -f /usr/share/selinux/devel/Makefile ; semodule -i bz1240198.pp ; semodule -l bz1240198"

--- Additional comment from Prasanth on 2015-07-08 02:35:13 EDT ---

Surabhi, please try the fix provided my Milos in Comment 7 and confirm if that works.

--- Additional comment from surabhi on 2015-07-08 09:41:56 EDT ---

After trying the fix provided in #C6, I just see the following AVC:

type=AVC msg=audit(07/08/2015 13:27:39.024:43343) : avc:  denied  { read } for  pid=2465 comm=smbd name=smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file

--- Additional comment from Milos Malik on 2015-07-08 09:54:44 EDT ---

Non-beaker task form of local policy follows:

# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { write create add_name };
  class file { write lock create getattr open read };
  class sock_file { create };
}

allow nmbd_t winbind_var_run_t:dir { write create add_name };
allow nmbd_t winbind_var_run_t:file { write lock create getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create };
allow smbd_t winbind_var_run_t:dir { write create add_name };
allow smbd_t winbind_var_run_t:file { write lock create getattr open read };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#

--- Additional comment from Milos Malik on 2015-07-08 10:02:08 EDT ---

Non-beaker task form of local policy follows:

# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { read write create add_name remove_name };
  class file { write lock create getattr open read };
  class sock_file { create };
}

allow nmbd_t winbind_var_run_t:dir { read write create add_name remove_name};
allow nmbd_t winbind_var_run_t:file { write lock create getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create };
allow smbd_t winbind_var_run_t:dir { read write create add_name remove_name };
allow smbd_t winbind_var_run_t:file { write lock create getattr open read };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#

--- Additional comment from surabhi on 2015-07-08 10:11:44 EDT ---

After applying all above fixes , on restart of any of the services, winbind , nmb or smbd I see more AVC's.

I checked in rhel7 and found no issues becaus eit has following set.

I would request to backport these fixes to RHEL6.7.z so taht we cover all cases related to samba, winbind and nmb.


sesearch -s nmbd_t -t winbind_var_run_t -c dir -p add_name --allow -C
Found 1 semantic av rules:
DT allow nmbd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ samba_export_all_rw ]



sesearch -s smbd_t -t winbind_var_run_t -c dir -p add_name --allow -C
Found 1 semantic av rules:
DT allow smbd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ samba_export_all_rw ]

--- Additional comment from surabhi on 2015-07-08 10:14:12 EDT ---

type=AVC msg=audit(07/08/2015 14:05:03.251:43618) : avc:  denied  { unlink } for  pid=18629 comm=smbd name=smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/08/2015 14:05:04.435:43619) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7f64036ce6b0 a1=0x0 a2=0x7f64036cf6b0 a3=0x702061626d615320 items=0 ppid=1 pid=3257 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7175 comm=smbd exe=/usr/sbin/smbd subj=unconfined_u:system_r:smbd_t:s0 key=(null) 
type=AVC msg=audit(07/08/2015 14:05:04.435:43619) : avc:  denied  { unlink } for  pid=3257 comm=smbd name=smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/08/2015 14:05:14.643:43620) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7f9bf1afb350 a1=0x0 a2=0x0 a3=0x702061626d615320 items=0 ppid=1 pid=3305 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7175 comm=nmbd exe=/usr/sbin/nmbd subj=unconfined_u:system_r:nmbd_t:s0 key=(null) 
type=AVC msg=audit(07/08/2015 14:05:14.643:43620) : avc:  denied  { unlink } for  pid=3305 comm=nmbd name=nmbd.pid dev=dm-0 ino=1574567 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file

--- Additional comment from Milos Malik on 2015-07-08 10:17:13 EDT ---

Non-beaker task form of local policy follows:

# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { read write create add_name remove_name };
  class file { write lock create unlink getattr open read };
  class sock_file { create };
}

allow nmbd_t winbind_var_run_t:dir { read write create add_name remove_name};
allow nmbd_t winbind_var_run_t:file { write lock create unlink getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create };
allow smbd_t winbind_var_run_t:dir { read write create add_name remove_name };
allow smbd_t winbind_var_run_t:file { write lock create unlink getattr open read };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#

--- Additional comment from surabhi on 2015-07-09 02:18:13 EDT ---

With a small addition to the policy given in #C14, there are no AVC's seen with Active directory and samba with glusterfs.

Verified with accessing the share by domain users.
All processes are up and running
AD setup works fine.


# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { read write create add_name remove_name };
  class file { write lock create unlink getattr open read };
  class sock_file { create unlink };
}

allow nmbd_t winbind_var_run_t:dir { read write create add_name remove_name};
allow nmbd_t winbind_var_run_t:file { write lock create unlink getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create unlink };
allow smbd_t winbind_var_run_t:dir { read write create add_name remove_name };
allow smbd_t winbind_var_run_t:file { write lock create unlink getattr open read };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#


Please consider this to be added for RHEL6.7.z

Comment 1 surabhi 2015-07-09 07:03:11 UTC

I see lot many fixes already present in RHEL7 and I don't see these issues in RHEL7.
Is it possible that we back-port the fixes for smb , nmb and winbind processes to RHEL6.7.z so that we have all the fixes in place and don't see any issues further.

Comment 2 surabhi 2015-07-15 12:22:34 UTC

policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  type smbd_var_run_t;
  class dir { read write create add_name remove_name };
  class file { write lock create unlink getattr open read };
  class sock_file { create unlink };
}

allow nmbd_t winbind_var_run_t:dir { read write create add_name remove_name};
allow nmbd_t winbind_var_run_t:file { write lock create unlink getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create unlink };
allow smbd_t winbind_var_run_t:dir { read write create add_name remove_name };
allow smbd_t winbind_var_run_t:file { write lock create unlink getattr open read };
allow nmbd_t smbd_var_run_t:file { write lock create unlink getattr open read };
allow nmbd_t smbd_var_run_t:dir { read write create add_name remove_name };
allow nmbd_t smbd_var_run_t:sock_file { create unlink };


local policy that worked.

Comment 3 Miroslav Grepl 2015-07-21 11:35:11 UTC

We will need to backport a part of samba policy from 7.2. This local policy is not correct. It creates pid files with incorrect labeling.

Comment 4 Miroslav Grepl 2015-07-27 10:46:35 UTC

Could we test it with

policy_module(bz1240198,1.1)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  type smbd_var_run_t;
  type winbind_t;
  type nmbd_var_run_t;
}

manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file })
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file })
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)

Comment 8 Miroslav Grepl 2015-07-27 14:02:10 UTC

Ok and could you add additional rule

filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file })

Comment 10 Milos Malik 2015-07-27 14:08:34 UTC

Here are the PID files after starting smb, nmb and winbind services.

# ls -Z /var/run/samba/
drwxr-xr-x. root root unconfined_u:object_r:smbd_var_run_t:s0 ncalrpc
-rw-r--r--. root root unconfined_u:object_r:smbd_var_run_t:s0 smbd.pid
drwxr-xr-x. root root unconfined_u:object_r:smbd_var_run_t:s0 winbindd
-rw-r--r--. root root unconfined_u:object_r:smbd_var_run_t:s0 winbindd.pid
#

After retesting in permissive mode, audit2allow says that we need following rules:

allow nmbd_t nmbd_var_run_t:sock_file { create unlink };
allow nmbd_t smbd_var_run_t:file { write read lock create unlink open };

Comment 11 Milos Malik 2015-07-27 14:10:34 UTC

# rpm -qa samba\*
samba-libs-4.1.17-7.el6rhs.x86_64
samba-4.1.17-7.el6rhs.x86_64
samba-vfs-glusterfs-4.1.17-7.el6rhs.x86_64
samba-winbind-modules-4.1.17-7.el6rhs.x86_64
samba-winbind-clients-4.1.17-7.el6rhs.x86_64
samba-common-4.1.17-7.el6rhs.x86_64
samba-winbind-4.1.17-7.el6rhs.x86_64
samba-client-4.1.17-7.el6rhs.x86_64
#

The samba services store their PID files in /var/run/samba.

Comment 12 Milos Malik 2015-07-27 14:16:54 UTC

Seen on the same machine (3.7.19-279.el6):

# restorecon -Rv /var/restorecon reset /var/run/samba/nmbd context unconfined_u:object_r:nmbd_var_run_t:s0->unconfined_u:object_r:smbd_var_run_t:s0
restorecon reset /var/run/samba/nmbd/unexpected context unconfined_u:object_r:nmbd_var_run_t:s0->unconfined_u:object_r:smbd_var_run_t:s0
#

Comment 13 Miroslav Grepl 2015-07-27 14:24:43 UTC

(In reply to Milos Malik from comment #10)
> Here are the PID files after starting smb, nmb and winbind services.
> 
> # ls -Z /var/run/samba/
> drwxr-xr-x. root root unconfined_u:object_r:smbd_var_run_t:s0 ncalrpc
> -rw-r--r--. root root unconfined_u:object_r:smbd_var_run_t:s0 smbd.pid
> drwxr-xr-x. root root unconfined_u:object_r:smbd_var_run_t:s0 winbindd
> -rw-r--r--. root root unconfined_u:object_r:smbd_var_run_t:s0 winbindd.pid
> #
> 
> After retesting in permissive mode, audit2allow says that we need following
> rules:
> 
> allow nmbd_t nmbd_var_run_t:sock_file { create unlink };
> allow nmbd_t smbd_var_run_t:file { write read lock create unlink open };

Milos,
did you tested with a local rules which I suggested?

Comment 15 Milos Malik 2015-07-27 14:40:54 UTC

After applying of suggested local module, following AVC appeared in enforcing mode and nmbd process was not running even if I started it many times:
----
type=PATH msg=audit(07/27/2015 16:36:23.676:278) : item=1 name=/var/run/samba/nmbd/unexpected inode=1076 dev=fc:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:smbd_var_run_t:s0 nametype=DELETE 
type=PATH msg=audit(07/27/2015 16:36:23.676:278) : item=0 name=/var/run/samba/nmbd/ inode=33157 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:smbd_var_run_t:s0 nametype=PARENT 
type=CWD msg=audit(07/27/2015 16:36:23.676:278) :  cwd=/ 
type=SYSCALL msg=audit(07/27/2015 16:36:23.676:278) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7f470169f720 a1=0x0 a2=0x7f470169ec30 a3=0x1f items=2 ppid=1 pid=25029 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=6 comm=nmbd exe=/usr/sbin/nmbd subj=unconfined_u:system_r:nmbd_t:s0 key=(null) 
type=AVC msg=audit(07/27/2015 16:36:23.676:278) : avc:  denied  { unlink } for  pid=25029 comm=nmbd name=unexpected dev=vda3 ino=1076 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:smbd_var_run_t:s0 tclass=sock_file
----

Comment 16 Milos Malik 2015-07-27 14:42:22 UTC

FYI: comment#15 is related to local policy module mentioned in comment#4.

Comment 17 surabhi 2015-07-27 14:44:21 UTC

I also see similar AVC's after applying local policy mentioned in #C4.
The policy mentioned in #C14 works fine.

Comment 18 Miroslav Grepl 2015-07-27 16:21:09 UTC

Ok we have /var/run/samba/nmbd/ mislabeled.

Does 

-filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file })
+filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file dir })

help?

Comment 19 Miroslav Grepl 2015-07-29 07:52:05 UTC

(In reply to surabhi from comment #17)
> I also see similar AVC's after applying local policy mentioned in #C4.
> The policy mentioned in #C14 works fine.

The problem with this local policy is it places files with wrong labeling.

Comment 20 Miroslav Grepl 2015-07-30 09:00:44 UTC

policy_module(bz1240198,1.1)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  type smbd_var_run_t;
  type winbind_t;
  type nmbd_var_run_t;
}

manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file })
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file })
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file dir })

Any chance to re-test it with this policy?

Comment 22 Raghavendra Talur 2015-07-31 10:27:17 UTC

Verified using the new local policy that no avc is seen in logs.
Able to connect to Shares using Domain users and smbclient.

Comment 25 surabhi 2015-08-04 11:13:37 UTC

After updating the selinux policy to 
selinux-policy-3.7.19-279.el6_7.3.noarch
selinux-policy-targeted-3.7.19-279.el6_7.3.noarch

I don't see any AVC's related to winbind, smbd, nmbd and able to setup Active directory and samba server is able to join domain.
The functionality works fine, domain user is able to login and do fops.
But I see only one AVC as follows:
type=AVC msg=audit(08/04/2015 10:32:34.646:1366) : avc:  denied  { search } for  pid=5343 comm=sshd name=samba dev=dm-0 ino=1177567 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir

Comment 26 surabhi 2015-08-04 12:18:51 UTC

type=AVC msg=audit(08/04/2015 12:13:56.464:2106) : avc:  denied  { search } for  pid=7059 comm=sshd name=samba dev=dm-0 ino=1177567 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/04/2015 12:14:01.387:2124) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7f05c47ac9f1 a1=0x7ffd2d918460 a2=0x7ffd2d918460 a3=0x1 items=0 ppid=7059 pid=7073 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=323 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/04/2015 12:14:01.387:2124) : avc:  denied  { search } for  pid=7073 comm=sshd name=samba dev=dm-0 ino=1177567 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(08/04/2015 12:14:56.008:2140) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7f49be8b79f1 a1=0x7fffcd1873a0 a2=0x7fffcd1873a0 a3=0x7fffcd189870 items=0 ppid=2043 pid=7096 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/04/2015 12:14:56.008:2140) : avc:  denied  { search } for  pid=7096 comm=sshd name=samba dev=dm-0 ino=1177567 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir 


SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive

Comment 30 errata-xmlrpc 2016-05-10 19:58:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html