Bug 2127854

Summary: SELinux blocking samba-dcerpcd access to openssl.cnf, breaks Kerberos
Product: [Fedora] Fedora Reporter: James <james>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 36CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-36.16-1.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-12 13:01:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James 2022-09-19 09:01:36 UTC 
samba-4.16.5-0.fc36.x86_64
selinux-policy-targeted-36.14-1.fc36.noarch

I'm using Samba with the standard FreeIPA configuration (so LDAP+Krb5 authentication). Since a recent relabel (or some other update) SELinux has been disrupting access to SMB shares - for some reason the Mac clients are worst affected. I see loads of SIGABRTs from samba-dcerpcd, along with things like:


type=AVC msg=audit(1663577560.480:3619): avc:  denied  { write } for  pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
type=AVC msg=audit(1663577560.480:3620): avc:  denied  { read } for  pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
type=AVC msg=audit(1663577560.484:3621): avc:  denied  { search } for  pid=109517 comm="samba-dcerpcd" name="krb5" dev="sda6" ino=157052 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1663577560.487:3622): avc:  denied  { read } for  pid=109517 comm="samba-dcerpcd" name="openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1663577560.487:3623): avc:  denied  { open } for  pid=109517 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1663577560.487:3624): avc:  denied  { getattr } for  pid=109517 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1


in audit.log and the following in the system logs:


Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:29.459439,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:29.459564,  0, pid=109517] ../../source3/lib/smbldap.c:1054(smbldap_connect_system)
Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]:   failed to bind to server ldapi://%2fvar%2frun%2fslapd-CB-ETTLE.socket with dn="[Anonymous bind]" Error: Local error
Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]:           (unknown)
Sep 19 09:52:30 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:30.461066,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:30 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:31 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:31.462555,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:31 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:32 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:32.464279,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:32 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:33 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:33.466238,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:33 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:34 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:34.468348,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:34 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:35 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:35.470556,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:35 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:36 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:36.472795,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:36 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:37 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:37.475044,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:37 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:38 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:38.477276,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:38 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:39 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:39.479533,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:39 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name


Works OK if enforcing is temporarily switched off. Booleans:

smbd_anon_write --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> on
samba_export_all_rw --> on
samba_load_libgfapi --> off
samba_portmapper --> on
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off
Comment 1 Zdenek Pytela 2022-09-19 10:33:30 UTC 
One new and two existing commits need to be backoprted:
commit 837f63743214363362334e910dcb06d35cd5cb99
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 27 17:22:40 2022 +0200

    Update samba-dcerpcd policy for kerberos usage 2

commit e6584a21427a408c09781f2c5cf978b0f18db1cc
Author: Zdenek Pytela <zpytela>
Date:   Fri Jun 17 18:34:28 2022 +0200

    Update samba-dcerpcd policy for kerberos usage
Comment 2 Zdenek Pytela 2022-09-19 15:46:04 UTC 
The two existing commits turned out to have already been backported.
Comment 3 James 2022-09-19 18:53:01 UTC 
For reference, just trying selinux-policy-36.15-1.fc36.noarch from Koji. See in audit.log:

type=AVC msg=audit(1663613461.216:3955): avc:  denied  { write } for  pid=113672 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=0
type=AVC msg=audit(1663613476.247:3975): avc:  denied  { read } for  pid=113672 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
Comment 4 Fedora Update System 2022-09-30 08:50:01 UTC 
FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653
Comment 5 Fedora Update System 2022-10-01 02:13:05 UTC 
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2022-10-12 13:01:47 UTC 
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.