Bug 145025
| Summary: | smbmount - needs samba access permissions | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> | ||||||
| Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> | ||||||
| Status: | CLOSED RAWHIDE | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | rawhide | ||||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | i386 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2005-02-07 22:32:22 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
smbiod:
audit(1105655461.646:0): avc: denied { write } for pid=2671
comm=smbiod laddr=192.168.0.2 lport=58431 faddr=192.168.0.3 fport=139
scontext=system_u:system_r:kernel_t tcontext=root:sysadm_r:mount_t
tclass=tcp_socket
audit(1105655461.646:0): avc: denied { read } for pid=2671
comm=smbiod laddr=192.168.0.2 lport=58431 faddr=192.168.0.3 fport=139
scontext=system_u:system_r:kernel_t tcontext=root:sysadm_r:mount_t
tclass=tcp_socket
gnome-vfs-daemon:
audit(1105648235.958:0): avc: denied { write } for pid=3754
exe=/usr/libexec/gnome-vfs-daemon laddr=192.168.0.2 lport=41856
faddr=192.168.0.3 fport=139 scontext=user_u:user_r:user_t
tcontext=system_u:system_r:mount_t tclass=tcp_socket
Ok We are going to need some context for smbmount. I have put together a preliminary policy for smbmount, that I want you to try and if you can finish it, since I don't currently have access to a smb environment. Or at least submit the AVC messages. (You might want to do this in permissive mode). Dan Okay, where's the policy? It is out on people ftp://people.redhat.com/dwalsh/SELinux/Fedora selinux-policy-strict-*1.21.3-4 You will need to restorecon /usr/bin/smbmount Good luck. YOu can communicate with me on the #selinux chat room if you need quick response. Dan Is "can_ypbind" necessary? I'm not familiar with ypbind, but
I didn't see any related denials.
The rest of the rules look fine, but see - now smbmount can't acecss
any of the things in the mount policy, and it needs some of those
permissions. See below. How can smbmount inherit some permissions
from mount?
In the meantime here are the denials:
Common with mount
==============================
It can't { getattr search mounton } mnt_t where I put the mount point
It can't { create write add_name create unlink } etc_t (for mtab backups)
It can't { read append geattr } etc_runtime_t (for mtab)
It can't { mount } cifs_t, available through this rule:
allow mount_t file_type:filesystem { unmount mount relabelto };
in mount.te
Other, more general denials include:
====================================
It can't { signal sigchld} self:process
It can't read_locale()
It can't { search } devpts_t
It can't { read write } sysadm_devpts_t
It can't { use } /dev/pts/2 of type user_t
It can't { read write ioctl } /dev/tty
Some of those are already in the mount policy.
Others are not.
Samba-related stuff:
===================
It can't { search } samba_log_t or var_log_t
(Will it also need to create the log file
if it's missing? - need to test)
It can't { create connect} unix_stream_socket in the same domain.
It can't { search } samba_var_t:dir.
It can't { read geattr } this thing of type lib_t: gconv-modules.cache
It can't { fork } itself.
It can't { search getattr } bin_t:dir
in order to { read execute execute_no_trans } bin_t:file (/usr/bin/smbmnt)
which it tries to do.
Finally there's this kind of denial:
audit(1106808301.487:0): avc: denied { read } for pid=1383
comm=smbiod laddr=192.168.2.96 lport=45305 faddr=192.168.2.96
fport=445 scontext=system_u:system_r:kernel_t
tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket
audit(1106808303.487:0): avc: denied { write } for pid=1389
exe=/usr/libexec/gnome-vfs-daemon laddr=192.168.2.96 lport=45305
faddr=192.168.2.96 fport=445 scontext=user_u:user_r:user_t
tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket
Hope this is helpful.
I can add some of these myself, but I wasn't clear
on how to structure this with respect to the mount policy.
ypbind will only come into effect if you are running in an NIS environment, it
is required.
Not sure I caught them all but here is the bottom section of samba.te
ifdef(`mount.te', `
#
# Domain for running smbmount
#
application_domain(smbmount, `, fs_domain, nscd_client_domain');
can_network(smbmount_t)
can_ypbind(smbmount_t)
allow smbmount_t cifs_t:dir r_dir_perms;
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t samba_etc_t:file r_file_perms;
allow smbmount_t samba_log_t:dir r_dir_perms;
allow smbmount_t samba_log_t:file ra_file_perms;
allow smbmount_t samba_var_t:dir r_dir_perms;
allow smbmount_t samba_var_t:file rw_file_perms;
domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
r_dir_file(smbmount_t, proc_t)
allow smbmount_t self:capability { signal sigchld net_bind_service sys_rawio
sys_admin dac_override chown };
allow smbmount_t self:process { fork signal_perms };
file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
allow smbmount_t cifs_t:dir mounton;
allow smbmount_t cifs_t:dir search;
allow smbmount_t mnt_t:dir mounton;
read_locale(smbmount_t)
allow smbmount_t userdomain:fd use;
allow smbmount_t self:unix_stream_socket create_socket_perms;
can_exec(smbmount_t, bin_t)
allow kernel_t smbmount_t:tcp_socket { read write };
allow smbmount_t file_type:filesystem { unmount mount relabelto };
')
Well I was wondering if there could be some sort of common macro in mount.te
that gives a bunch of those permissions to smbmount_t and mount_t.
allow smbmount_t file_type:filesystem { unmount mount relabelto };
Shouldn't this be restricted to particular filesystems?
allow smbmount_t cifs_t:dir search;
Hmm...why is this needed...I should investigate
allow smbmount_t cifs_t:dir mounton;
This looks wrong in light of what Stephen Smalley said about binfmt.
I will test some more to see if I get this kind of denial or if it's
some sort of dual mount problem.
allow smbmount_t samba_log_t:file ra_file_perms;
Do you know if smbmount creates the file if it isn't there?
allow smbmount_t self:unix_stream_socket create_socket_perms;
You should put that next to the dgram_socket one.
can_exec(smbmount_t, bin_t)
Isn't the scope of this rule too broad?
Now it can execute all of bin_t. Maybe label smbmnt differently?
What about mount.cifs?
allow smbmount_t cifs_t:dir mounton; allow smbmount_t cifs_t:dir search; Hmm - yeah, where are those two coming from? They're not in my list of denials - I don't think. Ok updated the latest policy on ftp://people.redhat.com/dwalsh/SELinux/Fedora smb seems to be working. cifs works alot better and requires no policy change. I have gotten rid of all smb errors on my test machine. selinux-policy-strict-1.21.4-2 What about my comments in #8 and #9?
Some of those permissions seem too broad,
or unnecessary - see above.
Also I get denials:
Tty stuff:
{ search } devpts_t:dir
{ read write } sysadm_devpts_t:chr_file
{ read write ioctl } sysadm_devtty_t:chr_file
{ search } bin_t:dir (Need this for finding /usr/bin/smbmnt)
{ search } var_log_t:dir
(Need this for finding /var/log/samba/smbmount.log)
{ mount } cifs_t:filesystem
That last one is because cifs_t is fs_type, not file_type.
Finally there are still denials of this type:
audit(1106866332.138:0): avc: denied { write } for pid=30275
exe=/bin/ls laddr=192.168.2.96 lport=58074 faddr=192.168.2.96
fport=445 scontext=root:sysadm_r:sysadm_t
tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket
Ok, fixes. Attached is a patch between selinux-policy-strict-1.21.5-2 and what I have. Also attached is the samba.te file itself. It does the following: - comments everything and organizes it so it's not just a list of rules ordered randomly - removes permissions that I think are unnecessary.. like mounton on cifs_t, and some other things - restricts permissions that are overly broad like the rule that lets smbmount mount every filesystem - adds rules that I needed to eliminate ALL denials. I don't get any denials anymore. Most of them were tty rules, but there were some search rules, and a log creation rule, etc. There was also a bug in the cifs mount rule that I fixed. Please consider for inclusion. Also, please look at FIXMEs and see if those are necessary - I just didn't know. smbmnt_t should probably be labeled as something else so smbmount_t doesn't have execute permissions on all of bin_t. Created attachment 110384 [details]
Samba.te file
This is my samba.te file
Created attachment 110385 [details]
Samba.te patch
And this is the patch.
Added in 1.21.5-3 Here's some changes to address a FIXME.
Restricts execute priviledges of smbmount.
Also smbmnt now transitions to smbmount_t if executed by users.
--- samba.te 2005-01-31 20:14:24.000000000 -0700
+++ samba.new 2005-01-31 20:17:33.000000000 -0700
@@ -164,9 +164,8 @@
r_dir_file(smbmount_t, proc_t)
# Fork smbmnt
-# FIXME: label bin_t as more restricted type?
allow smbmount_t bin_t:dir r_dir_perms;
-can_exec(smbmount_t,bin_t)
+can_exec(smbmount_t,smbmount_exec_t)
allow smbmount_t self:process { fork signal_perms };
# Mount
--- samba.fc 2005-01-31 20:13:07.000000000 -0700
+++ samba.new 2005-01-31 20:13:37.000000000 -0700
@@ -20,5 +20,6 @@
/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t
/var/spool/samba(/.*)? system_u:object_r:samba_var_t
ifdef(`mount.te', `
-/usr/bin/smbmount system_u:object_r:smbmount_exec_t
+/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t
+/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t
')
|
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8 Description of problem: smbmount needs at least those permissions to work: getattr, read on samba_etc_t (smb.conf) read, write, lock on samba_var_t (gencache.tdb) read, ioctl on system_u:object_r:cifs_t append, getattr on samba_log_t (smbmount.log) create connect write - unix_drgram_socket Currently it runs as mount_t and lacks those permissions. Corresponding denials: audit(1105648184.429:0): avc: denied { read } for pid=2664 exe=/bin/mount path=/init dev=rootfs ino=7 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:root_t tclass=file audit(1105648184.458:0): avc: denied { setuid } for pid=2665 exe=/bin/mount capability=7 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=capability audit(1105648184.459:0): avc: denied { setgid } for pid=2665 exe=/bin/mount capability=6 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=capability audit(1105648184.944:0): avc: denied { getattr } for pid=2665 exe=/usr/bin/smbmount path=/etc/samba/smb.conf dev=dm-0 ino=667484 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:samba_etc_t tclass=file audit(1105648184.945:0): avc: denied { read } for pid=2665 exe=/usr/bin/smbmount name=smb.conf dev=dm-0 ino=667484 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:samba_etc_t tclass=file audit(1105648185.028:0): avc: denied { getattr } for pid=2665 exe=/usr/bin/smbmount path=/win dev=dm-0 ino=616513 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:default_t tclass=dir audit(1105648185.051:0): avc: denied { read write } for pid=2665 exe=/usr/bin/smbmount name=gencache.tdb dev=dm-0 ino=1168448 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:samba_var_t tclass=file audit(1105648185.051:0): avc: denied { lock } for pid=2665 exe=/usr/bin/smbmount path=/var/cache/samba/gencache.tdb dev=dm-0 ino=1168448 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:samba_var_t tclass=file audit(1105648185.054:0): avc: denied { getattr } for pid=2665 exe=/usr/bin/smbmount path=/var/cache/samba/gencache.tdb dev=dm-0 ino=1168448 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:samba_var_t tclass=file audit(1105648185.219:0): avc: denied { getattr } for pid=2665 exe=/usr/bin/smbmount path=/var/cache/samba dev=dm-0 ino=1168253 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:samba_var_t tclass=dir SELinux: initialized (dev smbfs, type smbfs), uses genfs_contexts audit(1105648185.467:0): avc: denied { read } for pid=2666 exe=/usr/bin/smbmount name=/ dev=smbfs ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:cifs_t tclass=dir audit(1105648185.467:0): avc: denied { ioctl } for pid=2666 exe=/usr/bin/smbmount path=/win dev=smbfs ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:cifs_t tclass=dir audit(1105648185.503:0): avc: denied { append } for pid=2666 exe=/usr/bin/smbmount name=smbmount.log dev=dm-0 ino=146038 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:samba_log_t tclass=file audit(1105648185.503:0): avc: denied { create } for pid=2666 exe=/usr/bin/smbmount scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=unix_dgram_socket audit(1105648185.503:0): avc: denied { connect } for pid=2666 exe=/usr/bin/smbmount scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=unix_dgram_socket audit(1105648185.503:0): avc: denied { write } for pid=2666 exe=/usr/bin/smbmount scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=unix_dgram_socket audit(1105648185.612:0): avc: denied { getattr } for pid=2666 exe=/usr/bin/smbmount path=/var/log/samba/smbmount.log dev=dm-0 ino=146038 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:samba_log_t tclass=file Version-Release number of selected component (if applicable): selinux-policy-strict-1.21.1-1 How reproducible: Always Steps to Reproduce: 1. Mount a samba share Additional info: