Bug 1889533

Summary: allow winbind_t ephemeral_port_t:tcp_socket name_connect;
Product: Red Hat Enterprise Linux 7 Reporter: Alois Mahdal <amahdal>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: lvrabec, mmalik, plautrba, ssekidde, vmojzis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-20 10:45:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alois Mahdal 2020-10-19 22:23:14 UTC
Description of problem
======================

When setting up for upgrade test using /CoreOS/samba/Preupgrade, we see this:


    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Max kernel policy version:      31
    selinux-policy-3.13.1-268.el7_9.1.noarch
    ----
    time->Mon Oct 19 20:29:31 2020
    type=PROCTITLE msg=audit(1603132171.257:62): proctitle=2F7573722F7362696E2F77696E62696E6464002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
    type=SYSCALL msg=audit(1603132171.257:62): arch=c0000015 syscall=102 success=no exit=-13 a0=3 a1=3ffff4dab160 a2=10 a3=0 items=0 ppid=4966 pid=4968 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
    type=AVC msg=audit(1603132171.257:62): avc:  denied  { name_connect } for  pid=4968 comm="winbindd" dest=49674 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
    ----
    time->Mon Oct 19 20:29:31 2020
    type=PROCTITLE msg=audit(1603132171.417:63): proctitle=2F7573722F7362696E2F77696E62696E6464002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
    type=SYSCALL msg=audit(1603132171.417:63): arch=c0000015 syscall=102 success=no exit=-13 a0=3 a1=3ffff4dab160 a2=10 a3=0 items=0 ppid=4966 pid=4968 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
    type=AVC msg=audit(1603132171.417:63): avc:  denied  { name_connect } for  pid=4968 comm="winbindd" dest=49674 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
    ----
    time->Mon Oct 19 20:29:32 2020
    type=PROCTITLE msg=audit(1603132172.187:64): proctitle=2F7573722F7362696E2F77696E62696E6464002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
    type=SYSCALL msg=audit(1603132172.187:64): arch=c0000015 syscall=102 success=no exit=-13 a0=3 a1=3ffff4dab210 a2=10 a3=0 items=0 ppid=4966 pid=5008 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
    type=AVC msg=audit(1603132172.187:64): avc:  denied  { name_connect } for  pid=5008 comm="winbindd" dest=49674 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
    ----
    time->Mon Oct 19 20:29:32 2020
    type=PROCTITLE msg=audit(1603132172.397:65): proctitle=2F7573722F7362696E2F77696E62696E6464002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
    type=SYSCALL msg=audit(1603132172.397:65): arch=c0000015 syscall=102 success=no exit=-13 a0=3 a1=3ffff4dab210 a2=10 a3=0 items=0 ppid=4966 pid=5008 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
    type=AVC msg=audit(1603132172.397:65): avc:  denied  { name_connect } for  pid=5008 comm="winbindd" dest=49674 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0


audit2allow says:

    allow winbind_t ephemeral_port_t:tcp_socket name_connect;


Version-Release number of selected component
============================================

selinux-policy-3.13.1-268.el7_9.1.noarch


How reproducible
================

Seen it couple times in the last run.


Steps to Reproduce
==================

See http://pkgs.devel.redhat.com/cgit/tests/samba/tree/Preupgrade/runtest.sh

(distribution_upgrade__at_src returns true)


Actual results
==============

AVC


Expected results
================

No AVC


Additional info
===============

Comment 2 Alois Mahdal 2020-10-19 22:30:36 UTC
Also tracked here: https://issues.redhat.com/browse/OAMG-4053

Comment 3 Lukas Vrabec 2020-10-20 10:45:07 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. Current minor release will be in Maintenance Support 2 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 2 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.