Bug 2142746

Summary: AVC denials when running samba high availability test
Product: Red Hat Enterprise Linux 9 Reporter: michal novacek <mnovacek>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1CC: jrehova, lvrabec, mmalik, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-04 14:43:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description michal novacek 2022-11-15 07:13:11 UTC 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-34.1.43-1.el9.noarch
----
time->Tue Nov 15 07:41:38 2022
type=PROCTITLE msg=audit(1668494498.824:1722): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
type=PATH msg=audit(1668494498.824:1722): item=0 name="/mnt/gfs2-ctdb/public" inode=4657 dev=fd:02 mode=040755 ouid=1002 ogid=1002 rdev=00:00 obj=system_u:object_r:samba_share_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1668494498.824:1722): cwd="/"
type=SYSCALL msg=audit(1668494498.824:1722): arch=c000003e syscall=89 success=no exit=-22 a0=7ffe2febea20 a1=7ffe2febe5c0 a2=3ff a3=40 items=1 ppid=86685 pid=87408 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1668494498.824:1722): avc:  denied  { search } for  pid=87408 comm="smbd" name="/" dev="dm-2" ino=4656 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Tue Nov 15 07:42:52 2022
type=PROCTITLE msg=audit(1668494572.903:2166): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
type=PATH msg=audit(1668494572.903:2166): item=0 name="/mnt/gfs2-ctdb/public" inode=4657 dev=fd:02 mode=040755 ouid=1002 ogid=1002 rdev=00:00 obj=system_u:object_r:samba_share_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1668494572.903:2166): cwd="/"
type=SYSCALL msg=audit(1668494572.903:2166): arch=c000003e syscall=89 success=no exit=-22 a0=7ffe7f07a7f0 a1=7ffe7f07a390 a2=3ff a3=7f4134153c80 items=1 ppid=89074 pid=89081 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1668494572.903:2166): avc:  denied  { search } for  pid=89081 comm="smbd" name="/" dev="dm-2" ino=4656 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Comment 1 Nikola Knazekova 2022-11-24 11:53:02 UTC 
Hi Michal,

How were these files /mnt/gfs2-ctdb/public created?

The unlabeled_t label is usually displayed when a file was created in SELinux disabled state or when its actual label does not currently exist.
Comment 2 michal novacek 2023-02-06 15:05:30 UTC 
(In reply to Nikola Knazekova from comment #1)
> Hi Michal,
> 
> How were these files /mnt/gfs2-ctdb/public created?
> 
> The unlabeled_t label is usually displayed when a file was created in
> SELinux disabled state or when its actual label does not currently exist.

This is how /mnt/gfs2-ctdb `ls` looks:

[root@virt-242 ~]# ls -laZ /mnt/gfs2-ctdb
total 20
drwxr-xr-x. 4 root     root     system_u:object_r:unlabeled_t:s0     3864 Feb  6 15:21 .
drwxr-xr-x. 9 root     root     system_u:object_r:mnt_t:s0            119 Feb  6 15:09 ..
drwxr-xr-x. 2 root     root     system_u:object_r:ctdbd_var_run_t:s0 3864 Feb  6 15:53 ctdb
drwxr-xr-x. 2 smbguest smbguest system_u:object_r:samba_share_t:s0   3864 Feb  6 15:21 public


The flow when AVC happens is:
scenarios.CTDB_IPv4 INFO    pass: Activate vg shared
scenarios.CTDB_IPv4 INFO    pass: Make sure /mnt/gfs2-ctdb is not mounted.
scenarios.CTDB_IPv4 INFO    pass: Create /mnt/gfs2-ctdb directory.
scenarios.CTDB_IPv4 INFO    pass: Mount /mnt/gfs2-ctdb
scenarios.CTDB_IPv4 INFO    pass: Create /mnt/gfs2-ctdb/ctdb/ directory.
scenarios.CTDB_IPv4 INFO    pass: Create /mnt/gfs2-ctdb/public/ directory.
scenarios.CTDB_IPv4 INFO    pass: Change owner of /mnt/gfs2-ctdb/public/.
scenarios.CTDB_IPv4 INFO    pass: Change permissions of /mnt/gfs2-ctdb/public/.
scenarios.CTDB_IPv4 INFO    pass: Change security context of /mnt/gfs2-ctdb/ctdb/.
scenarios.CTDB_IPv4 INFO    pass: Change security context of /mnt/gfs2-ctdb/public/.
scenarios.CTDB_IPv4 INFO    pass: Umount /mnt/gfs2-ctdb

/mnt/gfs2-ctdb is gfs2 filesystem.
Comment 6 Nikola Knazekova 2023-08-04 14:43:10 UTC 
Hi, 
after investigation I am closing this bug as NOTABUG.
This behaviour is expected and filesystems have to be mounted with selinux context: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems