Bug 2038963

Summary: smbcontrol produces AVC: denied {read} dev="proc"
Product: [Fedora] Fedora Reporter: Florence Blanc-Renaud <frenaud>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 35CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-35.9-1.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-18 01:55:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2033873, 2038157    

Description Florence Blanc-Renaud 2022-01-10 16:21:52 UTC 
Description of problem:
The command smbcontrol produces an AVC on Fedora 35.

Version-Release number of selected component (if applicable):
# cat /etc/fedora-release
Fedora release 35 (Thirty Five)

# rpm -q samba-common-tools selinux-policy
samba-common-tools-4.15.3-0.fc35.x86_64
selinux-policy-35.8-1.fc35.noarch

How reproducible:
Always

Steps to Reproduce:
1. setenforce 1
2. dnf install samba-common-tools
3. smbcontrol all debug 100

Actual results:
The smbcontrol command succeeds but produces an AVC

Expected results:
No AVC

Additional info:
# ausearch -m AVC
----
time->Mon Jan 10 11:02:26 2022
type=AVC msg=audit(1641830546.569:578): avc:  denied  { read } for  pid=53903 comm="smbcontrol" name="unix" dev="proc" ino=4026532059 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
Comment 1 Florence Blanc-Renaud 2022-01-10 16:34:12 UTC 
Same issue already reported against RHEL 8.6: https://bugzilla.redhat.com/show_bug.cgi?id=2033873
and against RHEL 9: https://bugzilla.redhat.com/show_bug.cgi?id=2038157
Comment 2 Fedora Update System 2022-01-13 17:25:45 UTC 
FEDORA-2022-3ec8ad0da1 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-3ec8ad0da1
Comment 3 Fedora Update System 2022-01-14 01:55:52 UTC 
FEDORA-2022-3ec8ad0da1 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-3ec8ad0da1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3ec8ad0da1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Florence Blanc-Renaud 2022-01-17 09:14:53 UTC 
The update selinux-policy-35.9-1.fc35 properly fixes this issue, I added karma + comment to https://bodhi.fedoraproject.org/updates/FEDORA-2022-3ec8ad0da1
Comment 5 Fedora Update System 2022-01-18 01:55:36 UTC 
FEDORA-2022-3ec8ad0da1 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.