Bug 2150680

Summary:	SELinux samba-dcerpcd (Samba 4.16) access denied
Product:	Red Hat Enterprise Linux 9	Reporter:	bangaio <techtribal>
Component:	selinux-policy	Assignee:	Nikola Knazekova <nknazeko>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	9.1	CC:	lvrabec, mmalik, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-38.1.4-1.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-05-09 08:17:04 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description bangaio 2022-12-05 00:50:28 UTC

Description of problem:
SELinux logs errors for samba-dcerpcd
I didn't notice any issues on my short amount of testing, but according to:
https://unix.stackexchange.com/questions/711204/samba-4-16-interactions-with-selinux
"I upgraded my server a couple weeks ago to Centos 8 and everything to current levels. This apparently included upgrading Samba to 4.16.2. Nothing seemed amis but I did notice big lags streaming data from the smb server to my laptop. No outright failures though, samba continued to deliver albeit with significant gaps."

Version-Release number of selected component (if applicable):
# uname -a
Linux file01 5.14.0-162.6.1.el9_1.0.1.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Nov 28 18:44:09 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release
Rocky Linux release 9.1 (Blue Onyx)

# rpm -qa 'selinux-policy*'
selinux-policy-34.1.43-1.el9.noarch
selinux-policy-targeted-34.1.43-1.el9.noarch

# smbd --version
Version 4.16.4


How reproducible:
Always


Steps to Reproduce:
1. setenforce 1
2. From a Windows client, access a samba share

Actual results:
SELinux errors logged

Expected results:
No SELinux errors logged


Additional info:
# ls -lZ /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_winreg /usr/libexec/samba/rpcd_classic
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0               1454896 Nov 16 05:28 /usr/libexec/samba/rpcd_classic
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0                 86144 Nov 16 05:28 /usr/libexec/samba/rpcd_winreg
-rwxr-xr-x. 1 root root system_u:object_r:winbind_rpcd_exec_t:s0  192960 Nov 16 05:28 /usr/libexec/samba/samba-dcerpcd

# ls -lZ /run/systemd/userdb/io.systemd.DynamicUser
srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 0 Dec  4 20:05 /run/systemd/userdb/io.systemd.DynamicUser

# ls -lZ /srv/smb
drwxrwx--T. 2 root      smb       unconfined_u:object_r:samba_share_t:s0    6 Dec  4 19:10 share01
drwxr-x---. 3 root      smb       unconfined_u:object_r:samba_share_t:s0   24 Dec  4 05:16 share02
drwxr-x---. 4 smbuser01 smb       unconfined_u:object_r:samba_share_t:s0   28 Dec  4 04:32 share03

# journalctl -u setroubleshoot --since=today
SELinux is preventing /usr/libexec/samba/samba-dcerpcd from read access on the directory /srv/smb/share02
SELinux is preventing /usr/libexec/samba/samba-dcerpcd from connectto access on the unix_stream_socket /run/systemd/userdb/io.systemd.DynamicUser
SELinux is preventing /usr/libexec/samba/samba-dcerpcd from ioctl access on the directory /srv/smb/share03

# sealert -l ff5fdfc0-44eb-48da-ba02-809823253963
SELinux is preventing /usr/libexec/samba/samba-dcerpcd from connectto access on the unix_stream_socket /run/systemd/userdb/io.systemd.DynamicUser.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that samba-dcerpcd should be allowed connectto access on the io.systemd.DynamicUser unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd
# semodule -X 300 -i my-sambadcerpcd.pp


Additional Information:
Source Context                system_u:system_r:winbind_rpcd_t:s0
Target Context                system_u:system_r:init_t:s0
Target Objects                /run/systemd/userdb/io.systemd.DynamicUser [
                              unix_stream_socket ]
Source                        samba-dcerpcd
Source Path                   /usr/libexec/samba/samba-dcerpcd
Port                          <Unknown>
Host                          file01
Source RPM Packages           samba-4.16.4-101.el9.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     file01
Platform                      Linux file01 5.14.0-162.6.1.el9_1.0.1.x86_64
                              #1 SMP PREEMPT_DYNAMIC Mon Nov 28 18:44:09 UTC
                              2022 x86_64 x86_64
Alert Count                   1569
First Seen                    2022-12-03 22:55:30 -03
Last Seen                     2022-12-04 21:30:22 -03
Local ID                      ff5fdfc0-44eb-48da-ba02-809823253963

Raw Audit Messages
type=AVC msg=audit(1670200222.661:170): avc:  denied  { connectto } for  pid=1761 comm="rpcd_winreg" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0


type=SYSCALL msg=audit(1670200222.661:170): arch=x86_64 syscall=connect success=no exit=EACCES a0=f a1=7fffd0d45460 a2=2d a3=5556763b9d00 items=0 ppid=1746 pid=1761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpcd_winreg exe=/usr/libexec/samba/rpcd_winreg subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)

Hash: samba-dcerpcd,winbind_rpcd_t,init_t,unix_stream_socket,connectto


#  sealert -l 824e84b5-0623-4016-99be-4736bf646fa1
SELinux is preventing /usr/libexec/samba/samba-dcerpcd from ioctl access on the directory /srv/smb/share01.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that samba-dcerpcd should be allowed ioctl access on the share01 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd
# semodule -X 300 -i my-sambadcerpcd.pp


Additional Information:
Source Context                system_u:system_r:winbind_rpcd_t:s0
Target Context                unconfined_u:object_r:samba_share_t:s0
Target Objects                /srv/smb/share01 [ dir ]
Source                        samba-dcerpcd
Source Path                   /usr/libexec/samba/samba-dcerpcd
Port                          <Unknown>
Host                          file01
Source RPM Packages           samba-4.16.4-101.el9.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     file01
Platform                      Linux file01 5.14.0-162.6.1.el9_1.0.1.x86_64
                              #1 SMP PREEMPT_DYNAMIC Mon Nov 28 18:44:09 UTC
                              2022 x86_64 x86_64
Alert Count                   175
First Seen                    2022-12-03 22:57:50 -03
Last Seen                     2022-12-04 21:30:22 -03
Local ID                      824e84b5-0623-4016-99be-4736bf646fa1

Raw Audit Messages
type=AVC msg=audit(1670200222.68:161): avc:  denied  { ioctl } for  pid=1744 comm="samba-dcerpcd" path="/srv/smb/share01" dev="dm-2" ino=134299776 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=dir permissive=0


type=AVC msg=audit(1670200222.68:161): avc:  denied  { ioctl } for  pid=1744 comm="samba-dcerpcd" path="/srv/smb/share03" dev="dm-2" ino=67108992 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=dir permissive=0


type=AVC msg=audit(1670200222.68:161): avc:  denied  { read } for  pid=1744 comm="samba-dcerpcd" path="/srv/smb/share03/bin/ffmpeg/ffmpeg.exe" dev="dm-2" ino=201326721 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=0


type=AVC msg=audit(1670200222.68:161): avc:  denied  { read write } for  pid=1744 comm="samba-dcerpcd" path="/srv/smb/share01/recording01.ts" dev="dm-2" ino=134301858 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1670200222.68:161): arch=x86_64 syscall=execve success=yes exit=0 a0=55965901dab0 a1=55965903e660 a2=559659016c10 a3=8 items=0 ppid=1439 pid=1744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)

Hash: samba-dcerpcd,winbind_rpcd_t,samba_share_t,dir,ioctl


# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd
# cat my-sambadcerpcd.te
module my-sambadcerpcd 1.0;

require {
        type init_t;
        type samba_share_t;
        type winbind_rpcd_t;
        class unix_stream_socket connectto;
        class dir { ioctl read };
        class file { read write };
}

#============= winbind_rpcd_t ==============
allow winbind_rpcd_t init_t:unix_stream_socket connectto;
allow winbind_rpcd_t samba_share_t:dir { ioctl read };
allow winbind_rpcd_t samba_share_t:file { read write };

Comment 1 Nikola Knazekova 2022-12-21 12:10:31 UTC

commit 9921e239291412f21c98806f2777dba7fce8bbe4
Author: Nikola Knazekova <nknazeko>
Date:   Thu Dec 15 12:07:05 2022 +0100

    Allow winbind-rpcd manage samba_share_t files and dirs
    
    Allow winbind connect to init_t unix_stream_socket
    
    Resolves: rhbz#2150680

Comment 10 errata-xmlrpc 2023-05-09 08:17:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483