+++ This bug was initially created as a clone of Bug #2025931 +++
Description of problem:
Version-Release number of selected component (if applicable):
# cat /etc/fedora-release
Fedora release 35 (Thirty Five)
# rpm -q samba-common-tools selinux-policy
samba-common-tools-4.15.2-3.fc35.x86_64
selinux-policy-35.5-1.fc35.noarch
How reproducible:
Always
Steps to Reproduce:
1. setenforce 1
2. dnf install samba-common-tools
3. smbcontrol all debug 100
Actual results: ERROR: Could not determine network interfaces, you must use a interfaces config line
Expected results:
No error messages
Additional info:
# ausearch -m avc
time->Tue Nov 23 05:16:25 2021
type=AVC msg=audit(1637662585.880:491): avc: denied { create } for pid=1665 comm="smbcontrol" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0
It works with setenforce 0 and on Fedora 34
--- Additional comment from Zdenek Pytela on 2021-11-23 13:23:42 UTC ---
The tool now uses netlink_route_socket and udp_socket which were not required previously:
----
type=PROCTITLE msg=audit(11/23/2021 08:19:05.790:553) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:19:05.790:553) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0x7fbb520a88b8 items=0 ppid=1060 pid=2372 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:19:05.790:553) : avc: denied { create } for pid=2372 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0
----
type=PROCTITLE msg=audit(11/23/2021 08:21:37.079:561) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:21:37.079:561) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_DGRAM a2=ip a3=0x1d items=0 ppid=1060 pid=2387 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:21:37.079:561) : avc: denied { create } for pid=2387 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1
f35# ausearch -i -a 562
----
type=PROCTITLE msg=audit(11/23/2021 08:21:37.080:562) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:21:37.080:562) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=0x8946 a2=0x7fff6d74e470 a3=0x1d items=0 ppid=1060 pid=2387 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:21:37.080:562) : avc: denied { ioctl } for pid=2387 comm=smbcontrol path=socket:[27789] dev="sockfs" ino=27789 ioctlcmd=0x8946 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1
# sesearch -A -s smbcontrol_t -t smbcontrol_t -p create
allow smbcontrol_t smbcontrol_t:anon_inode { create getattr ioctl read write };
allow smbcontrol_t smbcontrol_t:fifo_file { create link rename setattr unlink }; [ fips_mode ]:True
allow smbcontrol_t smbcontrol_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow smbcontrol_t smbcontrol_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow smbcontrol_t smbcontrol_t:tcp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow smbcontrol_t smbcontrol_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow smbcontrol_t smbcontrol_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
--- Additional comment from Zdenek Pytela on 2021-11-23 13:38:22 UTC ---
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/951
--- Additional comment from Alexander Bokovoy on 2021-11-26 20:20:05 UTC ---
FYI, I can see the same issue in RHEL 8.6.0 development so we'd need to get this fixed in RHEL as well.
--- Additional comment from Fedora Update System on 2021-11-29 16:03:32 UTC ---
FEDORA-2021-ea3fa543f0 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ea3fa543f0
--- Additional comment from Zdenek Pytela on 2021-11-29 16:52:36 UTC ---
(In reply to Alexander Bokovoy from comment #3)
> FYI, I can see the same issue in RHEL 8.6.0 development so we'd need to get
> this fixed in RHEL as well.
In that case please clone this bz for RHEL 8 and RHEL 9 if applies there, too.
--- Additional comment from Fedora Update System on 2021-11-30 02:19:09 UTC ---
FEDORA-2021-ea3fa543f0 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ea3fa543f0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ea3fa543f0
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:3918