.The SELinux policy allows `smb` access to user shares
Previously, the `samba-dcerpcd` process was separated from the `smb` service, but did not have access to user shares. As a consequence, `smb` clients could not access files on user `smb` shares. This update adds rules to the SELinux policy for managing user home content for the `samba-dcerpcd` binary when the `samba_enable_home_dirs` boolean is enabled. As a result, `samba-dcerpcd` can access user shares when `samba_enable_home_dirs` is on.
Is this going to cover samba_export_all_rw=1 as well, or really just samba_enable_home_dirs=1? CEE/GSS let me know that they added privately here that the issue also exists with samba_export_all_rw=1, but the doc text only mentions samba_enable_home_dirs=1 so far.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:2965
Description of problem: This is new to 8.7.0. Since customer upgraded to 8.7.0 (from samba-4.15.5-8.el8_6 to samba-4.16.4-2.el8), he sees AVCs when the samba-dcerpcd helper executes: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(11/14/2022 12:14:39.889:3440) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=31 --np-helper --debuglevel=0 type=EXECVE msg=audit(11/14/2022 12:14:39.889:3440) : argc=5 a0=/usr/libexec/samba/samba-dcerpcd a1=--libexec-rpcds a2=--ready-signal-fd=31 a3=--np-helper a4=--debuglevel=0 type=SYSCALL msg=audit(11/14/2022 12:14:39.889:3440) : arch=x86_64 syscall=execve success=yes exit=0 ... items=0 ppid=329561 pid=329705 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) type=AVC msg=audit(11/14/2022 12:14:39.889:3440) : avc: denied { ioctl } for pid=329705 comm=samba-dcerpcd path=SAMBA_SHARE_DIR dev="dm-2" ino=6825702 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir permissive=0 type=PROCTITLE msg=audit(11/14/2022 12:08:34.565:3437) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=31 --np-helper --debuglevel=0 type=EXECVE msg=audit(11/14/2022 12:08:34.565:3437) : argc=5 a0=/usr/libexec/samba/samba-dcerpcd a1=--libexec-rpcds a2=--ready-signal-fd=31 a3=--np-helper a4=--debuglevel=0 type=SYSCALL msg=audit(11/14/2022 12:08:34.565:3437) : arch=x86_64 syscall=execve success=yes exit=0 ... items=0 ppid=329561 pid=329563 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) type=AVC msg=audit(11/14/2022 12:08:34.565:3437) : avc: denied { read } for pid=329563 comm=samba-dcerpcd path=SAMBA_SHARE_DIR/SAMBA_SHARE_FILE dev="dm-2" ino=6825716 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- There was a massive redesign on the SELinux policy with RHEL8.7.0 regarding samba, in particular there is a new winbind_rpcd_t type (which is the faulty type here). Please check what's going on here. Version-Release number of selected component (if applicable): samba-4.16.4-2.el8 How reproducible: Always on customer system, didn't try to reproduce yet.