Bug 2083511
| Summary: | samba-dcerpcd and samba rpcd programs need selinux-policy permissions | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Pavel Filipensky <pfilipen> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 36 | CC: | dkarpele, dustin, dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, qe-baseos-security, ssekidde, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-36.13-3.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2083509 | Environment: | |
| Last Closed: | 2022-08-05 01:34:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2083504, 2083509 | ||
| Bug Blocks: | |||
|
Description
Pavel Filipensky
2022-05-10 09:33:20 UTC
Following SELinux denial appears multiple times in enforcing mode:
----
type=PROCTITLE msg=audit(05/10/2022 10:26:25.856:667) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=5 --worker-index=5 --debuglevel=0
type=SYSCALL msg=audit(05/10/2022 10:26:25.856:667) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x0 a1=0x0 a2=0x7f0424afdd4b a3=0x0 items=0 ppid=1573 pid=1583 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(05/10/2022 10:26:25.856:667) : avc: denied { setgid } for pid=1583 comm=rpcd_lsad capability=setgid scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0
----
# rpm -qa selinux\* \*samba\* | sort
python3-samba-4.16.1-4.fc37.x86_64
python3-samba-dc-4.16.1-4.fc37.x86_64
samba-4.16.1-4.fc37.x86_64
samba-client-libs-4.16.1-4.fc37.x86_64
samba-common-4.16.1-4.fc37.noarch
samba-common-libs-4.16.1-4.fc37.x86_64
samba-common-tools-4.16.1-4.fc37.x86_64
samba-dc-libs-4.16.1-4.fc37.x86_64
samba-libs-4.16.1-4.fc37.x86_64
samba-winbind-4.16.1-4.fc37.x86_64
samba-winbind-modules-4.16.1-4.fc37.x86_64
selinux-policy-36.7-1.fc37.noarch
selinux-policy-targeted-36.7-1.fc37.noarch
#
Following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(05/10/2022 10:33:09.033:712) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=5 --debuglevel=0
type=SYSCALL msg=audit(05/10/2022 10:33:09.033:712) : arch=x86_64 syscall=setgroups success=yes exit=0 a0=0x0 a1=0x0 a2=0x7f196d2fdd4b a3=0x0 items=0 ppid=1782 pid=1792 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(05/10/2022 10:33:09.033:712) : avc: denied { setgid } for pid=1792 comm=rpcd_lsad capability=setgid scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=1
----
# ls -lZ /usr/libexec/samba/ total 3408 -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1428080 May 6 11:26 rpcd_classic -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 45200 May 6 11:26 rpcd_epmapper -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 78128 May 6 11:26 rpcd_fsrvp -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 424640 May 6 11:26 rpcd_lsad -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 128792 May 6 11:26 rpcd_mdssvc -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 28800 May 6 11:26 rpcd_rpcecho -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 513048 May 6 11:26 rpcd_spoolss -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 90744 May 6 11:26 rpcd_winreg -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 525528 May 6 11:26 samba-bgqd -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 198032 May 6 11:26 samba-dcerpcd # The following file appears after starting the winbind service: # ls -lZ /run/samba-dcerpcd.pid -rw-r--r--. 1 root root system_u:object_r:winbind_var_run_t:s0 5 May 10 11:06 /run/samba-dcerpcd.pid # I've submitted a Fedora PR to address the issue. Before it is merged, scratchbuild can be used for testing: https://github.com/fedora-selinux/selinux-policy/pull/1219 Checks -> Details -> Artifacts -> rpms FEDORA-2022-fd22b79a84 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84 FEDORA-2022-fd22b79a84 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fd22b79a84` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. After applying the update, the original AVC denials are gone, but there are still a couple more:
type=AVC msg=audit(1658286623.868:2435): avc: denied { write } for pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1658286623.868:2436): avc: denied { open } for pid=6219 comm="samba-dcerpcd" path="/run/samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1658286623.868:2437): avc: denied { lock } for pid=6219 comm="samba-dcerpcd" path="/run/samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. (In reply to Dustin C. Hatch from comment #9) > After applying the update, the original AVC denials are gone, but there are > still a couple more: Thanks for reporting, but next time please create a new bz not to be overlooked. https://github.com/fedora-selinux/selinux-policy/pull/1315 |