Bug 2096521
| Summary: | ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Varun Mylaraiah <mvarun> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.1 | CC: | abokovoy, fdvorak, frenaud, lvrabec, mmalik, rcritten, ssekidde, tscherf |
| Target Milestone: | rc | Keywords: | AutoVerified, Regression, TestBlocker, Triaged |
| Target Release: | 9.1 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.37-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:13:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2091421 | ||
|
Description
Varun Mylaraiah
2022-06-14 06:24:47 UTC
This is due to a missing SELinux policy for samba-dcerpcd to access Kerberos configuration, TLS certificates, LDAP and so on.
[root@master ~]# setenforce 0
[root@master ~]# audit2allow -b
[root@master ~]# kinit admin
Password for admin:
[root@master ~]# echo Secret123 |ipa trust-add win2019-9ced.test --admin Administrator --password
--------------------------------------------------
Re-established trust to domain "win2019-9ced.test"
--------------------------------------------------
Realm name: win2019-9ced.test
Domain NetBIOS name: WIN2019-9CED
Domain Security Identifier: S-1-5-21-2229588128-2176526217-358173259
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified
[root@master ~]# audit2allow -b
#============= winbind_rpcd_t ==============
allow winbind_rpcd_t cert_t:file { getattr open read };
allow winbind_rpcd_t devlog_t:sock_file write;
allow winbind_rpcd_t dirsrv_t:unix_stream_socket connectto;
allow winbind_rpcd_t dirsrv_var_run_t:sock_file write;
allow winbind_rpcd_t kernel_t:unix_dgram_socket sendto;
allow winbind_rpcd_t krb5_conf_t:file { open read };
allow winbind_rpcd_t krb5_keytab_t:dir search;
allow winbind_rpcd_t net_conf_t:file { getattr open read };
allow winbind_rpcd_t smbd_var_run_t:file { getattr lock open read };
[root@master ~]#
[root@master ~]# audit2why -b
type=AVC msg=audit(1655205684.560:98): avc: denied { open } for pid=2111 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.560:98): avc: denied { read } for pid=2111 comm="samba-dcerpcd" name="krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.562:99): avc: denied { getattr } for pid=2111 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.563:100): avc: denied { open } for pid=2111 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.563:100): avc: denied { read } for pid=2111 comm="samba-dcerpcd" name="resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.564:101): avc: denied { open } for pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.564:101): avc: denied { read } for pid=2111 comm="samba-dcerpcd" name="krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.564:102): avc: denied { lock } for pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.564:103): avc: denied { getattr } for pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.565:104): avc: denied { connectto } for pid=2111 comm="samba-dcerpcd" path="/run/slapd-IPA-TEST.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.565:104): avc: denied { write } for pid=2111 comm="samba-dcerpcd" name="slapd-IPA-TEST.socket" dev="tmpfs" ino=1007 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.565:105): avc: denied { sendto } for pid=2111 comm="samba-dcerpcd" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.565:105): avc: denied { write } for pid=2111 comm="samba-dcerpcd" name="dev-log" dev="tmpfs" ino=46 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.566:106): avc: denied { search } for pid=2111 comm="samba-dcerpcd" name="krb5" dev="vda4" ino=25166407 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.567:107): avc: denied { open } for pid=2111 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.567:107): avc: denied { read } for pid=2111 comm="samba-dcerpcd" name="openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.567:109): avc: denied { getattr } for pid=2111 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.864:110): avc: denied { open } for pid=2122 comm="rpcd_lsad" path="/etc/krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.864:110): avc: denied { read } for pid=2122 comm="rpcd_lsad" name="krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.869:111): avc: denied { open } for pid=2122 comm="rpcd_lsad" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.869:111): avc: denied { read } for pid=2122 comm="rpcd_lsad" name="openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.869:112): avc: denied { getattr } for pid=2122 comm="rpcd_lsad" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.981:113): avc: denied { open } for pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.981:113): avc: denied { read } for pid=2166 comm="rpcd_lsad" name="krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.981:114): avc: denied { lock } for pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1655205684.981:115): avc: denied { getattr } for pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Zdenek, samba-dcerpcd should have the same policy as winbindd and smbd. samba-dcerpcd is a new daemon in Samba suite that runs code which was in past part of smbd. We need the same in Fedora as well, if it is not there yet. (In reply to Alexander Bokovoy from comment #9) > Zdenek, > > samba-dcerpcd should have the same policy as winbindd and smbd. > samba-dcerpcd is a new daemon in Samba suite that runs code which was in > past part of smbd. > We need the same in Fedora as well, if it is not there yet. Alexandr, We almost always put update to rawhide first. samba-dcerpcd has been confined following the description in https://www.samba.org/samba/history/samba-4.16.0.html and the updates are ready also for f36. The policy for rpcd services differs a bit as well as smbd and winbind differs, but share similar resources. Commit to backport:
commit e6584a21427a408c09781f2c5cf978b0f18db1cc
Author: Zdenek Pytela <zpytela>
Date: Fri Jun 17 18:34:28 2022 +0200
Update samba-dcerpcd policy for kerberos usage
The commit has not actually been backported:
commit 837f63743214363362334e910dcb06d35cd5cb99
Author: Zdenek Pytela <zpytela>
Date: Mon Jun 27 17:22:40 2022 +0200
Update samba-dcerpcd policy for kerberos usage 2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8283 |