Bug 1817989

Summary: avc denial on winbind
Product: Red Hat Enterprise Linux 8 Reporter: Petr Sklenar <psklenar>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 12:28:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Sklenar 2020-03-27 11:46:13 UTC 
Description of problem:
avc denial on winbind 

+ see 
https://bugzilla.redhat.com/show_bug.cgi?id=1817870


Version-Release number of selected component (if applicable):
rhel82
selinux-policy-3.14.3-40.el8.noarch

How reproducible:
!!! rarely, not always !!!

Steps to Reproduce:
1.https://beaker.engineering.redhat.com/recipes/8067055#task108204248,task108204258
2./usr/bin/bkr workflow-tomorrow --task=/CoreOS/realmd/Sanity/AD-permit-and-deny-sanity-test --distro=rhel8.2 --repeat=10 --abrt

Actual results:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-40.el8.noarch
----
time->Fri Mar 27 05:47:02 2020
type=USER_AVC msg=audit(1585302422.934:802): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/winbind.service" cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:samba_unit_file_t:s0 tclass=service permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Mar 27 05:47:03 2020
type=USER_AVC msg=audit(1585302423.044:803): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/winbind.service" cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:samba_unit_file_t:s0 tclass=service permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'



Expected results:


Additional info:
rhel81 with NO avc denial:
https://beaker.engineering.redhat.com/jobs/4160806

avc deniel with thel82
https://beaker.engineering.redhat.com/jobs/4160808
Comment 1 Zdenek Pytela 2020-03-27 12:06:31 UTC 
Fixed in Fedora:

commit 9df0f6d4317514a36f5e28bf57a0d1118d39bc0e
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 7 17:25:02 2020 +0100

    Allow NetworkManager_t domain to get status of samba services
Comment 2 Milos Malik 2020-03-27 12:21:25 UTC 
I believe this bug is a duplicate of BZ#1781806.
Comment 3 Lukas Vrabec 2020-03-27 12:28:39 UTC 

*** This bug has been marked as a duplicate of bug 1781806 ***