Bug 2152444

Summary: SELinux is preventing /usr/libexec/samba/samba-dcerpcd from write access on the sock_file socket
Product: Red Hat Enterprise Linux 8 Reporter: Joe Wright <jwright>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: medium    
Version: 8.7CC: abjoshi, lvrabec, mmalik, nknazeko, pjasbuti, sfroemer, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-12 10:35:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Wright 2022-12-11 23:48:14 UTC 
Description of problem:
setroubleshoot[9489]: SELinux is preventing /usr/libexec/samba/samba-dcerpcd from write access on the sock_file socket.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed write access on the socket sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-108.el8.noarch
samba-4.16.4-2.el8.x86_64

How reproducible:
Selinux enforcing. Setting selinux to permissive works around it

Steps to Reproduce:
1. Update to 8.7
2.
3.

Actual results:
AVC Denial

Expected results:
rule should be in place

Additional info:

May be relevant: 

https://wiki.samba.org/index.php/Samba_4.16_Features_added/changed#New_samba-dcerpcd_binary_to_provide_DCERPC_in_the_member_server_setup
Comment 2 Zdenek Pytela 2022-12-12 10:25:57 UTC 
It looks like a dup of bz#2121709.
Comment 3 Zdenek Pytela 2022-12-12 10:35:02 UTC 
Closing dup as the denial is the same.

*** This bug has been marked as a duplicate of bug 2121709 ***