Bug 2152642

Summary: AVC denied errors from samba-dcerpcd on Samba 4.16.4
Product: Red Hat Enterprise Linux 8 Reporter: Bijesh Thekkepat <bthekkep>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: asn, dkarpele, gdeschner, lvrabec, mmalik, nknazeko, pfilipen, pkulkarn
Target Milestone: rcKeywords: Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-115.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:04:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-01-24   

Description Bijesh Thekkepat 2022-12-12 15:24:20 UTC 
Description of problem:

With selinux enforcing on Samba 4.16.4 (RHEL 8.7) there is few seconds wait time while opening certain files (docx, pdf, ...) from Windows client ( tested on Windows Server 2016 Standard). Audit logs shows AVC denied errors for /usr/libexec/samba/samba-dcerpcd


Version-Release number of selected component (if applicable):
RHEL 8.7
samba-4.16.4-2.el8.x86_64
samba-libs-4.16.4-2.el8.x86_64
samba-client-4.16.4-2.el8.x86_64
samba-common-tools-4.16.4-2.el8.x86_64
samba-winbind-modules-4.16.4-2.el8.x86_64
samba-winbind-clients-4.16.4-2.el8.x86_64
samba-common-libs-4.16.4-2.el8.x86_64
samba-winbind-4.16.4-2.el8.x86_64
samba-common-4.16.4-2.el8.noarch
samba-client-libs-4.16.4-2.el8.x86_64


How reproducible:

With selinux enforcing as soon as we open a png file from the share, there is slight delay and audit logs shows avc:  denied for samba-dcerpcd

Actual results:

====
$ cat /var/log/samba/log.
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2022/12/06 12:50:18.746363,  0] ../../source3/passdb/pdb_interface.c:182(make_pdb_method_name)
  pdb backend ldapsam:ldap://127.0.0.1 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2022/12/06 12:50:18.746430,  0] ../../lib/util/fault.c:172(smb_panic_log)
  ===============================================================
[2022/12/06 12:50:18.746474,  0] ../../lib/util/fault.c:176(smb_panic_log)
  INTERNAL ERROR: pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://127.0.0.1
   in pid 6716 (4.16.4)
[2022/12/06 12:50:18.746509,  0] ../../lib/util/fault.c:181(smb_panic_log)
  If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2022/12/06 12:50:18.746521,  0] ../../lib/util/fault.c:182(smb_panic_log)
  ===============================================================
[2022/12/06 12:50:18.746532,  0] ../../lib/util/fault.c:184(smb_panic_log)
  PANIC (pid 6716): pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://127.0.0.1
   in 4.16.4
[2022/12/06 12:50:18.746748,  0] ../../lib/util/fault.c:288(log_stack_trace)
  BACKTRACE: 14 stack frames:
   #0 /lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7fb7b28ea7b4]
   #1 /lib64/libsamba-util.so.0(smb_panic+0xd) [0x7fb7b28eaa0d]
   #2 /lib64/libsamba-passdb.so.0(+0x1ce49) [0x7fb7b2850e49]
   #3 /lib64/libsamba-passdb.so.0(+0x1f495) [0x7fb7b2853495]
   #4 /lib64/libsamba-passdb.so.0(xid_to_sid+0xa3) [0x7fb7b284b8d3]
   #5 /lib64/libsamba-passdb.so.0(gid_to_sid+0x2b) [0x7fb7b284bbeb]
   #6 /usr/libexec/samba/samba-dcerpcd(+0x16ca9) [0x5650b44bcca9]
   #7 /usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x305) [0x5650b44bdc95]
   #8 /usr/libexec/samba/samba-dcerpcd(+0x105cf) [0x5650b44b65cf]
   #9 /usr/libexec/samba/samba-dcerpcd(+0x123a7) [0x5650b44b83a7]
   #10 /usr/libexec/samba/samba-dcerpcd(init_guest_session_info+0x60) [0x5650b44b8690]
   #11 /usr/libexec/samba/samba-dcerpcd(main+0x55f) [0x5650b44b13ef]
   #12 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fb7b1535d85]
   #13 /usr/libexec/samba/samba-dcerpcd(_start+0x2e) [0x5650b44b2f9e]



$ ausearch -m avc -i

ype=PROCTITLE msg=audit(12/06/2022 12:57:04.568:900) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2                                                                                                                
type=PATH msg=audit(12/06/2022 12:57:04.568:900) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=16976802 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/06/2022 12:57:04.568:900) : item=0 name=/usr/libexec/samba/samba-dcerpcd inode=25782681 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_rpcd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap
_frootid=0                                                                                                                           
type=CWD msg=audit(12/06/2022 12:57:04.568:900) : cwd=/tmp                                                                                                                                                                                                                        
type=EXECVE msg=audit(12/06/2022 12:57:04.568:900) : argc=5 a0=/usr/libexec/samba/samba-dcerpcd a1=--libexec-rpcds a2=--ready-signal-fd=35 a3=--np-helper a4=--debuglevel=2
type=SYSCALL msg=audit(12/06/2022 12:57:04.568:900) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5583b735f4b0 a1=0x5583b734e790 a2=0x5583b7348a00 a3=0x8 items=2 ppid=6789 pid=7057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=
root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(12/06/2022 12:57:04.568:900) : avc:  denied  { read } for  pid=7057 comm=samba-dcerpcd path=/shared/*****/***** dev="dm-0" ino=960522 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir permissive=0   
-

type=PROCTITLE msg=audit(12/06/2022 12:58:18.767:2236) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2 
type=SOCKADDR msg=audit(12/06/2022 12:58:18.767:2236) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 } 
type=SYSCALL msg=audit(12/06/2022 12:58:18.767:2236) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xf a1=0x55f673a4ace0 a2=0x10 a3=0x0 items=0 ppid=1 pid=7080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) 
type=AVC msg=audit(12/06/2022 12:58:18.767:2236) : avc:  denied  { name_connect } for  pid=7080 comm=samba-dcerpcd dest=389 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 
====

Expected results:

There should be selinux denials for samba-dcerpcd

Additional info:

Customer used below selinux policy module to temporarily fix the issue:

====
# my-samba-dcerpcd.te
module my-samba-dcerpcd 1.0;

require {
        type ldap_port_t;
        type winbind_rpcd_t;
        type samba_share_t;
        class file { ioctl read write getattr open };
        class dir { ioctl read };
        class tcp_socket name_connect;
}

#============= winbind_rpcd_t ==============
allow winbind_rpcd_t ldap_port_t:tcp_socket name_connect;
allow winbind_rpcd_t samba_share_t:dir { ioctl read };
allow winbind_rpcd_t samba_share_t:file { ioctl read write getattr open };
====
Comment 1 Zdenek Pytela 2022-12-19 15:00:19 UTC 
Andreas,

Should samba-dcerpcd be allowed to connect to ldap port?
Comment 2 Andreas Schneider 2022-12-19 16:53:28 UTC 
I think someone could configure a passdb backend for ldap. So yes, in that case we need to talk to the ldap port.
Comment 3 Zdenek Pytela 2022-12-22 12:17:10 UTC 
Thank you, Andreas.
Comment 5 Zdenek Pytela 2023-01-04 13:49:29 UTC 
Commits to backport:
e91d34918 (HEAD -> rawhide, upstream/rawhide) Allow winbind-rpcd make a TCP connection to the ldap port
9921e2392 Allow winbind-rpcd manage samba_share_t files and dirs
Comment 20 errata-xmlrpc 2023-05-16 09:04:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965