Bug 2121709

Summary: SELinux prevents the samba-bgpd from writing the /var/run/nscd/socket socket
Product: Red Hat Enterprise Linux 8 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Petr Hybl <phybl>
Priority: medium    
Version: 8.7CC: jafiala, jwright, lvrabec, mmalik, phybl
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-110.el8 Doc Type: Bug Fix
Doc Text:
.`samba-dcerpcd` process now works correctly with nscd Previously, the `samba-dcerpcd` process could not communicate with the `nscd` process because of the SELinux policy. Consequently, the `samba-dcerpcd` service did not work properly when the `nscd` service was enabled. With this update, the SELinux policy has been updated with new rules for `samba-dcerpcd`.
 Story Points: ---
Clone Of: 2118958
: 2121729 (view as bug list) Environment:
Last Closed: 2023-05-16 09:03:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2118958    
Bug Blocks: 2121729    

Description Zdenek Pytela 2022-08-26 10:43:14 UTC 
+++ This bug was initially created as a clone of Bug #2118958 +++

Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-107.el8.noarch

How reproducible:
 * always when the nscd service is running

Steps to Reproduce:
1. get a RHEL-8.7 machine
2. install and enable the nscd service
3. run the /CoreOS/selinux-policy/Regression/winbindd-and-similar test
4. run ausearch

Actual results:
-----
type=PROCTITLE msg=audit(08/26/2022 04:14:24.657:453) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0 
type=PATH msg=audit(08/26/2022 04:14:24.657:453) : item=0 name=/var/run/nscd/socket inode=130894 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/26/2022 04:14:24.657:453) : cwd=/ 
type=SOCKADDR msg=audit(08/26/2022 04:14:24.657:453) : saddr={ saddr_fam=local path=/var/run/nscd/socket } 
type=SYSCALL msg=audit(08/26/2022 04:14:24.657:453) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7ffccfc81970 a2=0x6e a3=0x6 items=1 ppid=1 pid=93859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) 
type=AVC msg=audit(08/26/2022 04:14:24.657:453) : avc:  denied  { write } for  pid=93859 comm=samba-dcerpcd name=socket dev="tmpfs" ino=130894 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file permissive=0 
----

Additional notes:
The issue did not appear during common testing, it appeared for the first time in gating tests. This probably is a result of some previous test which left the nscd service running.
Comment 2 Milos Malik 2022-08-29 09:29:34 UTC 
The "ausearch ... | audit2allow" output indicates that the following rules are needed:

allow winbind_rpcd_t nscd_t:nscd { shmemgrp shmempwd };
allow winbind_rpcd_t nscd_t:unix_stream_socket connectto;
allow winbind_rpcd_t nscd_var_run_t:file read;
allow winbind_rpcd_t nscd_var_run_t:file map;
allow winbind_rpcd_t nscd_var_run_t:sock_file write;
Comment 16 Zdenek Pytela 2022-12-12 10:35:02 UTC 
*** Bug 2152444 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2023-05-16 09:03:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965