Bug 1252937

Summary: samba can not perform join when running in samba_net_t context
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, rhack, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-43.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:43:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2015-08-12 14:32:36 UTC 
Description of problem:
With the new samba in RHEL-7.2 new AVC denials appeared. It looks like it does something extra compared to the old version but as far as I can tell it's ok.
The problem appears only when the affected command line tool runs in samba_net_t context, i.e. executed by an external program like realmd.

type=PROCTITLE msg=audit(08/12/2015 10:28:06.468:591) : proctitle=/usr/bin/net -d 1 -s /var/cache/realmd/realmd-smb-conf -U amy-admin ads join ad.baseos.qe 
type=SYSCALL msg=audit(08/12/2015 10:28:06.468:591) : arch=aarch64 syscall=bind success=no exit=-13(Permission denied) a0=0x6 a1=0x3ffdf0c5d08 a2=0x6e a3=0xffffff80 items=0 ppid=2438 pid=17008 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=net exe=/usr/bin/net subj=system_u:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/12/2015 10:28:06.468:591) : avc:  denied  { create } for  pid=17008 comm=net name=17008 scontext=system_u:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=sock_file permissive=0 


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-41.el7
samba-4.2.3-4.el7

How reproducible:
always

Steps to Reproduce:
runcon -u system_u -r system_r -t samba_net_t /usr/bin/net -d 1 -s /var/cache/realmd/realmd-smb-conf -U <USER> ads join <DOMAIN>

OR via realmd:

realm -v join --membership-software=samba -U <USER> <DOMAIN>
Comment 1 Patrik Kis 2015-08-13 09:15:00 UTC 
In permissive mode one more AVC denial appeared:

type=PROCTITLE msg=audit(08/13/2015 05:10:52.453:1083) : proctitle=/usr/bin/net -s /var/cache/realmd/realmd-smb-conf.M0YV2X -U Amy-admin ads join ad.baseos.qe 
type=SYSCALL msg=audit(08/13/2015 05:10:52.453:1083) : arch=aarch64 syscall=unlinkat success=yes exit=0 a0=0xffffffffffffff9c a1=0x2aac932fdf0 a2=0x0 a3=0x2aac9330bf0 items=0 ppid=30537 pid=31028 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=net exe=/usr/bin/net subj=system_u:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/13/2015 05:10:52.453:1083) : avc:  denied  { unlink } for  pid=31028 comm=net name=31028 dev="dm-0" ino=136370653 scontext=system_u:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=sock_file permissive=1
Comment 2 Miroslav Grepl 2015-08-17 08:33:31 UTC 
We need to add

manage_sock_files_pattern(samba_net_t, samba_var_t, samba_var_t)
Comment 3 Milos Malik 2015-08-18 06:31:53 UTC 
Patrik, are you willing to test the functional part of the bug?
Comment 4 Lukas Vrabec 2015-08-18 08:04:33 UTC 
commit 5b8de5e427c51ada8578e93294c9e64294f8e33e
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 10:02:06 2015 +0200

    Allow samba_net_t to manage samba_var_t sock files.
    Resolves: #1252937
Comment 5 Patrik Kis 2015-08-18 09:42:45 UTC 
(In reply to Milos Malik from comment #3)
> Patrik, are you willing to test the functional part of the bug?

No problem.
Comment 7 Patrik Kis 2015-08-20 13:27:52 UTC 
The fictional test was executed and passed; no AVC denials were logged.
Comment 10 errata-xmlrpc 2015-11-19 10:43:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html