Bug 2121729

Summary: SELinux prevents the samba-bgpd from writing the /var/run/nscd/socket socket
Product: Red Hat Enterprise Linux 9 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1CC: lvrabec, mmalik, skolosov
Target Milestone: rcKeywords: Triaged
Target Release: 9.2Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.47-1.el9 Doc Type: Bug Fix
Doc Text:
Cause: SELinux prevents the samba-bgpd from writing the /var/run/nscd/socket socket Consequence: SELinux denials during tests Fix: Allow samba-dcerpcd use NSCD services over a unix stream socket Result: No SELinux denials
 Story Points: ---
Clone Of: 2121709 Environment:
Last Closed: 2023-05-09 08:16:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2118958, 2121709    
Bug Blocks:    

Description Zdenek Pytela 2022-08-26 12:37:49 UTC 
Also applicable to RHEL 9.

+++ This bug was initially created as a clone of Bug #2121709 +++

+++ This bug was initially created as a clone of Bug #2118958 +++

Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-107.el8.noarch

How reproducible:
 * always when the nscd service is running

Steps to Reproduce:
1. get a RHEL-8.7 machine
2. install and enable the nscd service
3. run the /CoreOS/selinux-policy/Regression/winbindd-and-similar test
4. run ausearch

Actual results:
-----
type=PROCTITLE msg=audit(08/26/2022 04:14:24.657:453) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0 
type=PATH msg=audit(08/26/2022 04:14:24.657:453) : item=0 name=/var/run/nscd/socket inode=130894 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/26/2022 04:14:24.657:453) : cwd=/ 
type=SOCKADDR msg=audit(08/26/2022 04:14:24.657:453) : saddr={ saddr_fam=local path=/var/run/nscd/socket } 
type=SYSCALL msg=audit(08/26/2022 04:14:24.657:453) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7ffccfc81970 a2=0x6e a3=0x6 items=1 ppid=1 pid=93859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) 
type=AVC msg=audit(08/26/2022 04:14:24.657:453) : avc:  denied  { write } for  pid=93859 comm=samba-dcerpcd name=socket dev="tmpfs" ino=130894 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file permissive=0 
----

Additional notes:
The issue did not appear during common testing, it appeared for the first time in gating tests. This probably is a result of some previous test which left the nscd service running.
Comment 11 errata-xmlrpc 2023-05-09 08:16:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483