Bug 2025931

Summary:	smbcontrol fails in SELinux Enforcing mode
Product:	[Fedora] Fedora	Reporter:	Sergey Orlov <sorlov>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	35	CC:	abokovoy, dwalsh, frenaud, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela
Target Milestone:	---	Keywords:	Reopened, Triaged
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-35.6-1.fc35 selinux-policy-35.7-1.fc35	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	2027740 2027751 (view as bug list)		Environment:
Last Closed:	2021-12-24 01:24:14 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2027740, 2027751

Description Sergey Orlov 2021-11-23 12:23:03 UTC

Description of problem:


Version-Release number of selected component (if applicable):
# cat /etc/fedora-release
Fedora release 35 (Thirty Five)
 
# rpm -q samba-common-tools selinux-policy
samba-common-tools-4.15.2-3.fc35.x86_64
selinux-policy-35.5-1.fc35.noarch

How reproducible:
Always

Steps to Reproduce:
1. setenforce 1
2. dnf install samba-common-tools
3. smbcontrol all debug 100

Actual results: ERROR: Could not determine network interfaces, you must use a interfaces config line


Expected results:
No error messages

Additional info:
# ausearch -m avc
time->Tue Nov 23 05:16:25 2021
type=AVC msg=audit(1637662585.880:491): avc:  denied  { create } for  pid=1665 comm="smbcontrol" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0

It works with setenforce 0 and on Fedora 34

Comment 1 Zdenek Pytela 2021-11-23 13:23:42 UTC

The tool now uses netlink_route_socket and udp_socket which were not required previously:

----
type=PROCTITLE msg=audit(11/23/2021 08:19:05.790:553) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:19:05.790:553) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0x7fbb520a88b8 items=0 ppid=1060 pid=2372 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:19:05.790:553) : avc:  denied  { create } for  pid=2372 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0
----
type=PROCTITLE msg=audit(11/23/2021 08:21:37.079:561) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:21:37.079:561) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_DGRAM a2=ip a3=0x1d items=0 ppid=1060 pid=2387 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:21:37.079:561) : avc:  denied  { create } for  pid=2387 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1
f35# ausearch -i -a 562
----
type=PROCTITLE msg=audit(11/23/2021 08:21:37.080:562) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:21:37.080:562) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=0x8946 a2=0x7fff6d74e470 a3=0x1d items=0 ppid=1060 pid=2387 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:21:37.080:562) : avc:  denied  { ioctl } for  pid=2387 comm=smbcontrol path=socket:[27789] dev="sockfs" ino=27789 ioctlcmd=0x8946 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1

# sesearch -A -s smbcontrol_t -t smbcontrol_t -p create
allow smbcontrol_t smbcontrol_t:anon_inode { create getattr ioctl read write };
allow smbcontrol_t smbcontrol_t:fifo_file { create link rename setattr unlink }; [ fips_mode ]:True
allow smbcontrol_t smbcontrol_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow smbcontrol_t smbcontrol_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow smbcontrol_t smbcontrol_t:tcp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow smbcontrol_t smbcontrol_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow smbcontrol_t smbcontrol_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };

Comment 2 Zdenek Pytela 2021-11-23 13:38:22 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/951

Comment 3 Alexander Bokovoy 2021-11-26 20:20:05 UTC

FYI, I can see the same issue in RHEL 8.6.0 development so we'd need to get this fixed in RHEL as well.

Comment 4 Fedora Update System 2021-11-29 16:03:32 UTC

FEDORA-2021-ea3fa543f0 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ea3fa543f0

Comment 5 Zdenek Pytela 2021-11-29 16:52:36 UTC

(In reply to Alexander Bokovoy from comment #3)
> FYI, I can see the same issue in RHEL 8.6.0 development so we'd need to get
> this fixed in RHEL as well.

In that case please clone this bz for RHEL 8 and RHEL 9 if applies there, too.

Comment 6 Fedora Update System 2021-11-30 02:19:09 UTC

FEDORA-2021-ea3fa543f0 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ea3fa543f0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ea3fa543f0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Milos Malik 2021-11-30 17:19:46 UTC

One of our automated tests triggers the following SELinux denials in permissive mode:
 ----
type=PROCTITLE msg=audit(11/30/2021 12:16:00.369:514) : proctitle=smbcontrol nmbd ping 
type=SYSCALL msg=audit(11/30/2021 12:16:00.369:514) : arch=x86_64 syscall=socket success=yes exit=3 a0=netlink a1=SOCK_RAW a2=ip a3=0x7f08f278b8b8 items=0 ppid=5156 pid=7541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/30/2021 12:16:00.369:514) : avc:  denied  { create } for  pid=7541 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=1 
----
type=PROCTITLE msg=audit(11/30/2021 12:16:00.370:515) : proctitle=smbcontrol nmbd ping 
type=SOCKADDR msg=audit(11/30/2021 12:16:00.370:515) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(11/30/2021 12:16:00.370:515) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffdda4b207c a2=0xc a3=0x7f08f278b8b8 items=0 ppid=5156 pid=7541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/30/2021 12:16:00.370:515) : avc:  denied  { bind } for  pid=7541 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=1 
----
type=PROCTITLE msg=audit(11/30/2021 12:16:00.371:516) : proctitle=smbcontrol nmbd ping 
type=SOCKADDR msg=audit(11/30/2021 12:16:00.371:516) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=7541 } 
type=SYSCALL msg=audit(11/30/2021 12:16:00.371:516) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x3 a1=0x7ffdda4b207c a2=0x7ffdda4b2078 a3=0x7f08f278b8b8 items=0 ppid=5156 pid=7541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/30/2021 12:16:00.371:516) : avc:  denied  { getattr } for  pid=7541 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=1 
----
type=PROCTITLE msg=audit(11/30/2021 12:16:00.371:517) : proctitle=smbcontrol nmbd ping 
type=SOCKADDR msg=audit(11/30/2021 12:16:00.371:517) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(11/30/2021 12:16:00.371:517) : arch=x86_64 syscall=sendto success=yes exit=20 a0=0x3 a1=0x7ffdda4b2050 a2=0x14 a3=0x0 items=0 ppid=5156 pid=7541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/30/2021 12:16:00.371:517) : avc:  denied  { nlmsg_read } for  pid=7541 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=1 
----
type=PROCTITLE msg=audit(11/30/2021 12:16:00.372:518) : proctitle=smbcontrol nmbd ping 
type=PATH msg=audit(11/30/2021 12:16:00.372:518) : item=0 name=/proc/net/unix inode=4026532059 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/30/2021 12:16:00.372:518) : cwd=/root/selinux-policy/Regression/smbcontrol-and-similar 
type=SYSCALL msg=audit(11/30/2021 12:16:00.372:518) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffdda4b20e0 a1=R_OK a2=0x8 a3=0x5619654fd3c4 items=1 ppid=5156 pid=7541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/30/2021 12:16:00.372:518) : avc:  denied  { read } for  pid=7541 comm=smbcontrol name=unix dev="proc" ino=4026532059 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/30/2021 12:16:00.373:519) : proctitle=smbcontrol nmbd ping 
type=SYSCALL msg=audit(11/30/2021 12:16:00.373:519) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_DGRAM a2=ip a3=0x5619654fd3c4 items=0 ppid=5156 pid=7541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/30/2021 12:16:00.373:519) : avc:  denied  { create } for  pid=7541 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1 
----
type=PROCTITLE msg=audit(11/30/2021 12:16:00.373:520) : proctitle=smbcontrol nmbd ping 
type=SYSCALL msg=audit(11/30/2021 12:16:00.373:520) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=0x8946 a2=0x7ffdda4b21c0 a3=0x5619654fd3c4 items=0 ppid=5156 pid=7541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/30/2021 12:16:00.373:520) : avc:  denied  { ioctl } for  pid=7541 comm=smbcontrol path=socket:[32330] dev="sockfs" ino=32330 ioctlcmd=0x8946 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1 
----

Comment 9 Fedora Update System 2021-12-04 01:23:43 UTC

FEDORA-2021-ea3fa543f0 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Florence Blanc-Renaud 2021-12-06 08:58:45 UTC

I am re-opening this BZ because the issue is still present in selinux-policy-35.6-1.fc35.noarch:

# rpm -q samba-common-tools selinux-policy
samba-common-tools-4.15.2-3.fc35.x86_64
selinux-policy-35.6-1.fc35.noarch
# date; smbcontrol all debug 100
Mon Dec  6 03:56:23 AM EST 2021
ERROR: Could not determine network interfaces, you must use a interfaces config line
# ausearch -m AVC | grep smbcontrol
type=AVC msg=audit(1638780983.613:808): avc:  denied  { create } for  pid=6766 comm="smbcontrol" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0

Comment 11 Zdenek Pytela 2021-12-06 16:48:29 UTC

Thanks for reporting. I think I've found the problem: CI for this build took extraordinary long so that other BZs were marked POST and were falsely marked as a part of this build. Will create a new one asap.

Comment 12 Fedora Update System 2021-12-16 16:00:03 UTC

FEDORA-2021-379f72b2bc has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-379f72b2bc

Comment 13 Fedora Update System 2021-12-17 01:57:37 UTC

FEDORA-2021-379f72b2bc has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-379f72b2bc`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-379f72b2bc

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Florence Blanc-Renaud 2021-12-17 16:52:47 UTC

The command smbcontrol now succeeds but there is still 1 AVC reported:

# cat /etc/redhat-release 
Fedora release 35 (Thirty Five)
# rpm -q samba-common-tools selinux-policy
samba-common-tools-4.15.3-0.fc35.x86_64
selinux-policy-35.7-1.fc35.noarch
# smbcontrol all debug 100
# ausearch -m AVC
----
time->Fri Dec 17 11:46:54 2021
type=AVC msg=audit(1639759614.576:572): avc:  denied  { read } for  pid=37414 comm="smbcontrol" name="unix" dev="proc" ino=4026532059 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0

Comment 15 Zdenek Pytela 2021-12-20 12:55:45 UTC

Florence,

This is a new problem which did not pop up previously, needs to be addressed separately.

Comment 16 Fedora Update System 2021-12-24 01:24:14 UTC

FEDORA-2021-379f72b2bc has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Florence Blanc-Renaud 2022-01-10 16:22:35 UTC

(In reply to Zdenek Pytela from comment #15)
> Florence,
> 
> This is a new problem which did not pop up previously, needs to be addressed
> separately.

I opened https://bugzilla.redhat.com/show_bug.cgi?id=2038963 to track the new issue