Bug 1520332

Summary: A new policy should be added to allow sssd_pac to access libaesni-intel-samba4.so
Product: [Fedora] Fedora Reporter: Fabiano Fidêncio <fidencio>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: abokovoy, anoopcs, asn, dwalsh, gdeschner, jarrpa, lmohanty, lslebodn, lvrabec, madam, mgrepl, plautrba, pmoore, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-04 10:57:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabiano Fidêncio 2017-12-04 09:31:22 UTC 
This issue happens with https://bodhi.fedoraproject.org/updates/FEDORA-2017-46d55b2108

Dec 04 10:12:36 pessoa audit[3989]: AVC avc:  denied  { execstack } for  pid=3989 comm="sssd_pac" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0
Dec 04 10:12:36 pessoa sssd[3982]: /usr/libexec/sssd/sssd_pac: error while loading shared libraries: libaesni-intel-samba4.so: cannot enable executable stack as shared object requires: Permission denied
Dec 04 10:12:39 pessoa dbus-daemon[965]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.31' (uid=0 pid=933 comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using servicehelper)
Dec 04 10:12:40 pessoa dbus-daemon[965]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Dec 04 10:12:43 pessoa setroubleshoot[3991]: SELinux is preventing sssd_pac from using the execstack access on a process. For complete SELinux messages run: sealert -l c7db38d4-80d7-4a9f-890e-3522b2b11231
Dec 04 10:12:43 pessoa python3[3991]: SELinux is preventing sssd_pac from using the execstack access on a process.
                                      
                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                      
                                      If you believe that sssd_pac should be allowed execstack access on processes labeled sssd_t by default
                                      Then you should report this as a bug.
                                      You can generate a local policy module to allow this access.
                                      Do
                                      allow this access for now by executing:
                                      # ausearch -c 'sssd_pac' --raw | audit2allow -M my-sssdpac
                                      # semodule -X 300 -i my-sssdpac.pp


Please, let me know if some info is needed.
Comment 1 Lukas Slebodnik 2017-12-04 09:42:51 UTC 
I would say that it is related to the update 4.7.3-1
"Enable AES acceleration on Intel compatible CPUs by default"

But I do not think we should allow executing something on stack.
   execstack     Make the main process stack executable.

And if really want that then there should be a boolean which is disabled by default.

Anyway moving to samba.
Comment 2 Sumit Bose 2017-12-04 10:04:28 UTC 
JFYI, sssd_pac just links libndr-krb5pac.so to parse (the already decrypted) NDR encoded PAC. Is libaesni-intel-samba4.so really needed for NDR processing? (The next question would be if the performance improvement really justifies the risks of an executable stack?)
Comment 3 Fabiano Fidêncio 2017-12-04 10:08:26 UTC 
Seems that the issue may actually be on Samba side (https://bugzilla.redhat.com/show_bug.cgi?id=1520163).

Andreas is doing a new build and I'll close this bug if his build solves the issue.
Comment 4 Fabiano Fidêncio 2017-12-04 10:57:39 UTC 
Okay, this bug is actually a DUP of 1520163.

*** This bug has been marked as a duplicate of bug 1520163 ***
Comment 5 Fabiano Fidêncio 2017-12-04 10:59:29 UTC 
JFTR: I've tested https://koji.fedoraproject.org/koji/taskinfo?taskID=23542441