Bug 2174445
| Summary: | SELinux is preventing /usr/bin/smbspool from write/add_name/create on /var/lib/samba/lock/ and /var/lib/samba/lock/gencache.tdb | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Matthias Olson <matthias.olson> |
| Component: | selinux-policy | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.1 | CC: | lvrabec, mmalik, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.1.13-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-07 08:52:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2023-05-16 | ||
Hi Matthias, can you please reproduce the issue in permissive mode and attach SELinux denials? Please do: # setenforce 0 Thank you, Nikola In permissive mode the output is:
setroubleshoot[13501]: SELinux is preventing /usr/bin/smbspool from write access on the directory /var/lib/samba/lock/gencache.tdb.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that smbspool should be allowed write access on the gencache.tdb directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smbspool' --raw | audit2allow -M my-smbspool
# semodule -X 300 -i my-smbspool.pp
Audit log:
type=AVC msg=audit(1681807537.277:6645): avc: denied { write } for pid=13496 comm="smbspool" name="lock" dev="dm-1" ino=201463076 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681807537.277:6645): avc: denied { add_name } for pid=13496 comm="smbspool" name="gencache.tdb" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681807537.277:6645): avc: denied { create } for pid=13496 comm="smbspool" name="gencache.tdb" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1681807537.277:6645): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=55f0e1e3b5f0 a2=80042 a3=1a4 items=2 ppid=2328 pid=13496 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="smbspool" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="lp" EUID="root" SUID="root" FSUID="root" EGID="lp" SGID="lp" FSGID="lp"
type=PATH msg=audit(1681807537.277:6645): item=0 name="/var/lib/samba/lock/" inode=201463076 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PATH msg=audit(1681807537.277:6645): item=1 name="/var/lib/samba/lock/gencache.tdb" inode=201477594 dev=fd:01 mode=0100600 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="lp"
type=PROCTITLE msg=audit(1681807537.277:6645): proctitle=736D623A2F2F69732D7072696E742E68712E74726179706F72742E636F6D2F42575F4455504C45585F325000313600726F6F74005465737420506167650031006A6F622D757569643D75726E3A757569643A30386139366239392D626637372D333864612D356631382D356465316266343963316439206A6F622D6F72696769
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6617 |
Description of problem: After installing samba-krb5-printing and setting up an SMB Printer with Kerberos authentication, attempts at printing fail due to the SELinux policy-set. Suggested allow rule may be too broad (i.e. giving cupsd_t context required permissions over the entirety of samba_var_t). -------------------------------------------------- From journald: setroubleshoot[5782]: SELinux is preventing /usr/bin/smbspool from write access on the directory /var/lib/samba/lock/. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that smbspool should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'smbspool' --raw | audit2allow -M my-smbspool # semodule -X 300 -i my-smbspool.pp setroubleshoot[6984]: SELinux is preventing /usr/bin/smbspool from add_name access on the directory /var/lib/samba/lock/. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that smbspool should be allowed add_name access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'smbspool' --raw | audit2allow -M my-smbspool # semodule -X 300 -i my-smbspool.pp setroubleshoot[7460]: SELinux is preventing /usr/bin/smbspool from create access on the file /var/lib/samba/lock/. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that smbspool should be allowed create access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'smbspool' --raw | audit2allow -M my-smbspool # semodule -X 300 -i my-smbspool.pp -------------------------------------------------- The output of `ausearch -c 'smbspool' --raw | audit2allow -w -a`: type=AVC msg=audit(1677683022.381:1713): avc: denied { write } for pid=5779 comm="smbspool" name="lock" dev="dm-1" ino=201463076 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1677683022.381:1714): avc: denied { write } for pid=5779 comm="smbspool" name="lock" dev="dm-1" ino=201463076 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1677683022.384:1715): avc: denied { write } for pid=5779 comm="smbspool" name="lock" dev="dm-1" ino=201463076 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1677683165.831:2825): avc: denied { add_name } for pid=6982 comm="smbspool" name="gencache.tdb" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1677683165.831:2826): avc: denied { add_name } for pid=6982 comm="smbspool" name="gencache.tdb" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1677683165.833:2827): avc: denied { add_name } for pid=6982 comm="smbspool" name="gencache.tdb" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1677683400.064:2971): avc: denied { create } for pid=7458 comm="smbspool" name="gencache.tdb" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1677683400.064:2972): avc: denied { create } for pid=7458 comm="smbspool" name="gencache.tdb" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1677683400.066:2973): avc: denied { create } for pid=7458 comm="smbspool" name="gencache.tdb" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. -------------------------------------------------- The output of `ausearch -c 'smbspool' --raw | audit2allow -a` #============= cupsd_t ============== allow cupsd_t samba_var_t:dir { add_name write }; allow cupsd_t samba_var_t:file create; -------------------------------------------------- Version-Release number of selected component (if applicable): selinux-policy.noarch 34.1.43-1.el9_1.1 samba-krb5-printing.x86_64 4.16.4-101.el9 How reproducible: 100%