Bug 2108383

Summary: selinux-policy AVC during "mount -t cifs"
Product: Red Hat Enterprise Linux 8 Reporter: Rafael Jeffman <rjeffman>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 8.7CC: dkarpele, lvrabec, mmalik, rpm, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.7Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-105.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:44:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2095834    

Comment 2 Zdenek Pytela 2022-07-25 13:29:36 UTC 
Results of checking the AVC log
This is a mislabeled file:

----
type=PROCTITLE msg=audit(07/12/2022 10:06:53.865:1340) : proctitle=/usr/sbin/sssd -i --logger=files
type=AVC msg=audit(07/12/2022 10:06:53.865:1340) : avc:  denied  { read } for  pid=775 comm=sssd name=resolv.conf dev="vda3" ino=92276409 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(07/12/2022 10:06:53.865:1340) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x0 a1=0x555f9bb138c0 a2=0x8d88 a3=0x0 items=0 ppid=1 pid=775 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null)
----

The other two denials require backporting of:

commit 37512b85ed2712a57370c9df57db84b96b3d0f9d (tag: v37.7)
Author: Nikola Knazekova <nknazeko>
Date:   Wed Jul 13 18:12:31 2022 +0200

    Update winbind_rpcd_t

See also
https://bugzilla.redhat.com/show_bug.cgi?id=2102084
Comment 3 Milos Malik 2022-07-26 07:49:15 UTC 
Unique SELinux denials for QE purposes:
----
time->Tue Jul 12 10:35:10 2022
type=PROCTITLE msg=audit(1657636510.928:3589): proctitle=2F7573722F6C6962657865632F73616D62612F727063645F6C736164002D2D636F6E66696766696C653D2F6574632F73616D62612F736D622E636F6E66002D2D776F726B65722D67726F75703D32002D2D776F726B65722D696E6465783D35002D2D64656275676C6576656C3D3130
type=SYSCALL msg=audit(1657636510.928:3589): arch=c000003e syscall=6 success=no exit=-13 a0=7ffd1cc24982 a1=7ffd1cc249f0 a2=7ffd1cc249f0 a3=0 items=0 ppid=37511 pid=37538 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcd_lsad" exe="/usr/libexec/samba/rpcd_lsad" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(1657636510.928:3589): avc:  denied  { getattr } for  pid=37538 comm="rpcd_lsad" path="/run/samba/winbindd/pipe" dev="tmpfs" ino=161762 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file permissive=0
----
time->Tue Jul 12 10:35:31 2022
type=PROCTITLE msg=audit(1657636531.794:3593): proctitle=736D62636F6E74726F6C00616C6C0064656275670031
type=SYSCALL msg=audit(1657636531.794:3593): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7ffc071e8dd0 a2=6e a3=0 items=0 ppid=37583 pid=37598 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1657636531.794:3593): avc:  denied  { sendto } for  pid=37598 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/37511" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0
----
Comment 18 Denis Karpelevich 2022-08-02 09:44:05 UTC 
*** Bug 2095834 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2022-11-08 10:44:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691