Bug 2143624
Summary: | SELinux blocks samba-dcerpcd component to direct access to the TDBs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Leszek Szczepanowski <leszek.szczepanowski> |
Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | CentOS Stream | CC: | bstinson, jwboyer, lucas.blenkhorn, lvrabec, martin, mmalik, zpytela |
Target Milestone: | rc | Keywords: | SELinux, Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-08-01 19:29:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Leszek Szczepanowski
2022-11-17 12:02:13 UTC
The issue is only with the browsing shares. Accessing the shares themselves, and read/write to them is OK. I did this: [root@fs01 symptoms]# semodule -B [root@fs01 symptoms]# setenforce 0 [root@fs01 symptoms]# ausearch -c samba-dcerpcd --raw| audit2allow -M sambalocal [root@fs01 symptoms]# cat sambalocal.te module sambalocal 1.0; require { type fusefs_t; type ctdbd_t; type smbd_t; type ctdbd_var_run_t; type winbind_rpcd_t; type ctdbd_var_lib_t; class sock_file { getattr write }; class unix_stream_socket { connectto read write }; class file { getattr lock map open read setattr write }; class dir { ioctl read search }; class process { noatsecure rlimitinh siginh }; } #============= smbd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh }; #============= winbind_rpcd_t ============== #!!!! This avc is allowed in the current policy allow winbind_rpcd_t ctdbd_t:unix_stream_socket connectto; #!!!! This avc has a dontaudit rule in the current policy allow winbind_rpcd_t ctdbd_var_lib_t:dir search; #!!!! This avc is allowed in the current policy allow winbind_rpcd_t ctdbd_var_lib_t:file { getattr lock map open read setattr write }; #!!!! This avc is allowed in the current policy allow winbind_rpcd_t ctdbd_var_run_t:sock_file { getattr write }; #!!!! This avc is allowed in the current policy allow winbind_rpcd_t fusefs_t:dir { ioctl read }; And then I did semodule -i sambalocal.pp - now I can browse shares. The suspect is a bug in selinux-policy, where (my guess) those two are not defined: allow winbind_rpcd_t ctdbd_var_lib_t:dir search; allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh }; Hi Leszek, thank you very much for detailed description. Dontaudited permissons (noatsecure rlimitinh siginh) are expected, but this one may cause the problem: allow winbind_rpcd_t ctdbd_var_lib_t:dir search; So can you please try this allow rule in test cil module? 1. Disable your sambalocal: # semodule -D sambalocal 2. Create test.cil: $ vi test.cil (allow winbind_rpcd_t ctdbd_var_lib_t ( dir ( search ))) 3. And then # semodule -i test.cil Thanks, Nikola The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |