Bug 1855215

Summary: selinux prevents adcli from executing /usr/bin/net command through sssd
Product: Red Hat Enterprise Linux 8 Reporter: Niranjan Mallapadi Raghavender <mniranja>
Component: selinux-policyAssignee: Patrik Koncity <pkoncity>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: apeetham, dapospis, lslebodn, lvrabec, mmalik, pkoncity, plautrba, sbose, sgoveas, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 8.5   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-79.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:42:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1793727, 1842946, 1969483    

Description Niranjan Mallapadi Raghavender 2020-07-09 09:12:16 UTC 
Description of problem:
selinux prevents adcli from executing /usr/bin/net command through sssd. process. 

adcli when called through sssd fails to execute /usr/bin/net command. 

<snip>
type=AVC msg=audit(1594283288.118:2290): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594283288.118:2291): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
</snip>



Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.3-48.el8.noarch
libselinux-2.9-3.el8.x86_64
selinux-policy-3.14.3-48.el8.noarch
libselinux-utils-2.9-3.el8.x86_64
sssd-2.3.0-4.el8.x86_64

How reproducible:

1. Join to AD using adcli and membership software samba
$ realm join T2ADPY12R83G.COM --client-software=sssd --server-software=active-directory --membership-software=samba -v



2. Modify sssd.conf to specify ad_update_samba_machine_account_password = True
3.  Reset machine password (setpwdLastSet=0)

4. Restart sssd

Actual results:

sssd calls adcli which adds  some data by calling /usr/bin/net command . and this fails. 

From the sssd domain logs:

 * Trying to set Samba secret.
 ! Cannot run [/usr/bin/net]: [13][Permission denied].
 ! Failed to set Samba computer account password.
 * Trying to set domain SID S-1-5-21-3755728407-3718717906-4106828179 for Samba.
 ! Cannot run [/usr/bin/net]: [13][Permission denied].
 ! Failed to set Samba domain SID.
 * Failed to add Samba specific data, smbd or winbindd might not work as expected.


Expected results:
adcli when called through sssd process should be able to execute /usr/bin/net command. 

Additional info:

AVC denial message in audit logs:

type=AVC msg=audit(1594283288.118:2290): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594283288.118:2291): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0


[root@vm-10-0-110-34 sssd]# ls -lZ /usr/sbin/adcli
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 162504 Jun 15 10:33 /usr/sbin/adcli
[root@vm-10-0-110-34 sssd]# ps -efZ | grep sssd
system_u:system_r:sssd_t:s0     root       25901       1  0 04:27 ?        00:00:00 /usr/sbin/sssd -i --logger=files
system_u:system_r:sssd_t:s0     root       25902   25901  0 04:27 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
system_u:system_r:sssd_t:s0     root       25903   25901  0 04:27 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain t2adpy12r83g.com --uid 0 --gid 0 --logger=files
system_u:system_r:sssd_t:s0     root       25904   25901  0 04:27 ?        00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
system_u:system_r:sssd_t:s0     root       25905   25901  0 04:27 ?        00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 26746 26044  0 05:09 pts/0 00:00:00 grep --color=auto sssd
[root@vm-10-0-110-34 sssd]# which net
/usr/bin/net
[root@vm-10-0-110-34 sssd]# ls -lZ /usr/bin/net
-rwxr-xr-x. 1 root root system_u:object_r:samba_net_exec_t:s0 948448 Jul  1 05:24 /usr/bin/net


<sssd.conf>

[sssd]
domains = t2adpy12r83g.com
config_file_version = 2
services = nss, pam

[domain/t2adpy12r83g.com]
ad_domain = t2adpy12r83g.com
krb5_realm = T2ADPY12R83G.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_maximum_machine_account_password_age = 1
ad_machine_account_password_renewal_opts = 300:15
ad_update_samba_machine_account_password = True
debug_level = 9
</sssd.conf>
Comment 1 Lukas Slebodnik 2020-07-09 09:26:36 UTC 
> type=AVC msg=audit(1594283288.118:2290): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1594283288.118:2291): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0

sssd does not execute /usr/bin/net directly.
It might be good to have type transition for adcli the same was as for sssd selinux manager.

sh# sesearch -T -s sssd_t -c process
type_transition sssd_t abrt_helper_exec_t:process abrt_helper_t;
type_transition sssd_t chkpwd_exec_t:process chkpwd_t;
type_transition sssd_t sssd_selinux_manager_exec_t:process sssd_selinux_manager_t;
type_transition sssd_t updpwd_exec_t:process updpwd_t;

But that would probably require different fcontext for /usr/bin/adcli

sh# matchpathcon /usr/bin/adcli
/usr/bin/adcli  system_u:object_r:bin_t:s0
sh# matchpathcon /usr/bin/net
/usr/bin/net    system_u:object_r:samba_net_exec_t:s0
Comment 6 Patrik Koncity 2021-08-04 10:55:18 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/824
Comment 7 Zdenek Pytela 2021-08-23 12:00:28 UTC 
Commit to backport:

commit 0feb53acc00aa74ad3946830914f6c27f27c711a (upstream/rawhide, rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Tue Aug 3 14:54:07 2021 +0200

    Allow sssd to set samba setting

and

https://github.com/fedora-selinux/selinux-policy/pull/843
Comment 20 errata-xmlrpc 2021-11-09 19:42:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420
Comment 21 Red Hat Bugzilla 2023-09-15 00:34:04 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days