Bug 2188074

Summary: cifs.upcall blocked by selinux
Product: [Fedora] Fedora Reporter: Kyle Brantley <kyle>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: abokovoy, accounts+fedora, dustymabe, dwalsh, jlayton, karl-johan.karlsson, luk.claes, lvrabec, mmalik, nknazeko, omosnacek, pfilipen, pkoncity, ronniesahlberg, sprabhu, ssorce, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-04 19:40:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kyle Brantley 2023-04-19 16:37:37 UTC 
User-Agent:       Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Build Identifier: 

Post upgrade from F37 to F38, mount.smb / cifs.upcall appear to be unable to obtain credentials, due to selinux violations.

Performing the mount in permissive mode allows the mount to operate correctly.

A review of the relevant AVCs fired in permissive mode does not reveal any booleans that could be adjusted to allow this activity.

Reproducible: Always

Steps to Reproduce:
1. echo '//storage.example.com/data  /data        smb3    sec=krb5,vers=3,multiuser 0 0' >> /etc/fstab && systemctl daemon-reload
2. kinit as root
3. as root, 'mount /data'

Actual Results:  
dmesg:
[    7.630547] Key type dns_resolver registered
[    7.772172] Key type cifs.spnego registered
[    7.772185] Key type cifs.idmap registered
[    7.772936] CIFS: Attempting to mount \\storage.example.com\data
[    7.804088] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[    7.804093] CIFS: VFS: \\storage.example.com Send error in SessSetup = -126
[    7.804101] CIFS: VFS: cifs_mount failed w/return code = -126

cli:
# mount /data
mount error(126): Required key not available
Refer to the mount.smb3(8) manual page (e.g. man mount.smb3) and kernel log messages (dmesg)

AVCs:
type=AVC msg=audit(1681921312.614:16125): avc:  denied  { execute } for  pid=965 comm="request-key" name="cifs.upcall" dev="dm-0" ino=419889 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1681921312.614:16126): avc:  denied  { read } for  pid=965 comm="request-key" name="log" dev="devtmpfs" ino=165 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0

AVCs in permissive mode:
type=AVC msg=audit(1681921994.615:20618): avc:  denied  { execute } for  pid=1024 comm="request-key" name="cifs.upcall" dev="dm-0" ino=419889 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.615:20619): avc:  denied  { execute_no_trans } for  pid=1024 comm="request-key" path="/usr/sbin/cifs.upcall" dev="dm-0" ino=419889 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.621:20620): avc:  denied  { map } for  pid=1024 comm="cifs.upcall" path="/usr/sbin/cifs.upcall" dev="dm-0" ino=419889 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.623:20621): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" name="log" dev="devtmpfs" ino=165 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1681921994.623:20622): avc:  denied  { search } for  pid=1024 comm="cifs.upcall" name="systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681921994.623:20623): avc:  denied  { search } for  pid=1024 comm="cifs.upcall" name="journal" dev="tmpfs" ino=41 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681921994.623:20624): avc:  denied  { write } for  pid=1024 comm="cifs.upcall" name="dev-log" dev="tmpfs" ino=42 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1681921994.623:20625): avc:  denied  { sendto } for  pid=1024 comm="cifs.upcall" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1681921994.623:20626): avc:  denied  { setcap } for  pid=1025 comm="cifs.upcall" scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=process permissive=1
type=AVC msg=audit(1681921994.623:20627): avc:  denied  { search } for  pid=1024 comm="cifs.upcall" name="1021" dev="proc" ino=22382 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1
type=AVC msg=audit(1681921994.623:20628): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" name="cgroup" dev="proc" ino=22384 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=lnk_file permissive=1
type=AVC msg=audit(1681921994.623:20629): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" scontext=system_u:system_r:keyutils_request_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1681921994.623:20630): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" dev="nsfs" ino=4026531835 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.623:20631): avc:  denied  { open } for  pid=1024 comm="cifs.upcall" path="cgroup:[4026531835]" dev="nsfs" ino=4026531835 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.623:20632): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" scontext=system_u:system_r:keyutils_request_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20633): avc:  denied  { getattr } for  pid=1024 comm="cifs.upcall" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20634): avc:  denied  { sys_chroot } for  pid=1024 comm="cifs.upcall" capability=18  scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1681921994.624:20635): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" name="passwd" dev="dm-0" ino=131956 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20636): avc:  denied  { open } for  pid=1024 comm="cifs.upcall" path="/etc/passwd" dev="dm-0" ino=131956 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20637): avc:  denied  { getattr } for  pid=1024 comm="cifs.upcall" path="/etc/passwd" dev="dm-0" ino=131956 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20638): avc:  denied  { setgid } for  pid=1024 comm="cifs.upcall" capability=6  scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1681921994.624:20639): avc:  denied  { setuid } for  pid=1024 comm="cifs.upcall" capability=7  scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1681921994.624:20640): avc:  denied  { getattr } for  pid=1024 comm="cifs.upcall" path="/etc/krb5.conf" dev="dm-0" ino=131611 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20641): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" name="krb5.conf" dev="dm-0" ino=131611 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20642): avc:  denied  { open } for  pid=1024 comm="cifs.upcall" path="/etc/krb5.conf" dev="dm-0" ino=131611 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20643): avc:  denied  { search } for  pid=1024 comm="cifs.upcall" name="sss" dev="dm-0" ino=919636 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681921994.624:20644): avc:  denied  { search } for  pid=1024 comm="cifs.upcall" name="pubconf" dev="dm-0" ino=919643 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681921994.624:20645): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" name="krb5.include.d" dev="dm-0" ino=920627 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681921994.624:20646): avc:  denied  { open } for  pid=1024 comm="cifs.upcall" path="/var/lib/sss/pubconf/krb5.include.d" dev="dm-0" ino=920627 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681921994.624:20647): avc:  denied  { getattr } for  pid=1024 comm="cifs.upcall" path="/var/lib/sss/pubconf/krb5.include.d" dev="dm-0" ino=920627 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681921994.624:20648): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" name="domain_realm_example_com" dev="dm-0" ino=916295 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20649): avc:  denied  { open } for  pid=1024 comm="cifs.upcall" path="/var/lib/sss/pubconf/krb5.include.d/domain_realm_example_com" dev="dm-0" ino=916295 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20650): avc:  denied  { getattr } for  pid=1024 comm="cifs.upcall" path="/var/lib/sss/pubconf/krb5.include.d/domain_realm_example_com" dev="dm-0" ino=916295 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.624:20651): avc:  denied  { write } for  pid=1024 comm="cifs.upcall" name=".heim_org.h5l.kcm-socket" dev="tmpfs" ino=1094 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1681921994.624:20652): avc:  denied  { connectto } for  pid=1024 comm="cifs.upcall" path="/run/.heim_org.h5l.kcm-socket" scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1681921994.671:20659): avc:  denied  { sendto } for  pid=1024 comm="cifs.upcall" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1681921994.696:20660): avc:  denied  { search } for  pid=1024 comm="cifs.upcall" name="pki" dev="dm-0" ino=130847 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1681921994.696:20661): avc:  denied  { read } for  pid=1024 comm="cifs.upcall" name="openssl.cnf" dev="dm-0" ino=130968 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.696:20662): avc:  denied  { open } for  pid=1024 comm="cifs.upcall" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=130968 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681921994.696:20663): avc:  denied  { getattr } for  pid=1024 comm="cifs.upcall" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=130968 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1


Expected Results:  
Successful mount.

# rpm -qa | grep -E 'keyutils|cifs|selinux-policy' | sort
cifs-utils-7.0-1.fc38.x86_64
cifs-utils-info-7.0-1.fc38.x86_64
keyutils-1.6.1-6.fc38.x86_64
keyutils-libs-1.6.1-6.fc38.x86_64
selinux-policy-38.10-1.fc38.noarch
selinux-policy-targeted-38.10-1.fc38.noarch

[root@xt ~]# uname -a
Linux vm.example.com 6.2.11-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 13 20:27:09 UTC 2023 x86_64 GNU/Linux
# klist -A
Ticket cache: KCM:0
Default principal: user.COM

Valid starting       Expires              Service principal
04/19/2023 09:59:09  04/19/2023 19:59:09  krbtgt/AD.EXAMPLE.COM.COM
        renew until 04/20/2023 09:59:08
04/19/2023 10:15:38  04/19/2023 19:59:09  cifs/storage.ad.EXAMPLE.COM.COM
        renew until 04/20/2023 09:59:08
Comment 1 Alexander Bokovoy 2023-04-19 16:41:29 UTC 
Move to the selinux-policy.

Judging by the audit2allow, it needs these rules due to use of a combination of Kerberos and openssl configs.

#============= keyutils_request_t ==============
allow keyutils_request_t bin_t:file { execute execute_no_trans };

allow keyutils_request_t bin_t:file map;
allow keyutils_request_t cert_t:dir search;
allow keyutils_request_t cert_t:file { getattr open read };
allow keyutils_request_t devlog_t:lnk_file read;
allow keyutils_request_t devlog_t:sock_file write;
allow keyutils_request_t init_var_run_t:dir search;
allow keyutils_request_t kernel_t:unix_dgram_socket sendto;
allow keyutils_request_t krb5_conf_t:file { getattr open read };
allow keyutils_request_t nsfs_t:file { getattr open read };
allow keyutils_request_t passwd_file_t:file { getattr open read };
allow keyutils_request_t self:capability { setgid setuid sys_chroot };
allow keyutils_request_t self:process setcap;
allow keyutils_request_t sssd_public_t:dir { getattr open read search };
allow keyutils_request_t sssd_public_t:file { getattr open read };
allow keyutils_request_t sssd_t:unix_stream_socket connectto;
allow keyutils_request_t sssd_var_lib_t:dir search;
allow keyutils_request_t sssd_var_run_t:sock_file write;
allow keyutils_request_t syslogd_var_run_t:dir search;
allow keyutils_request_t unconfined_t:dir search;
allow keyutils_request_t unconfined_t:file read;
allow keyutils_request_t unconfined_t:lnk_file read;
Comment 2 Dusty Mabe 2023-04-19 17:36:24 UTC 
This may be related to https://bugzilla.redhat.com/show_bug.cgi?id=2182643
Comment 3 Zdenek Pytela 2023-05-04 19:40:48 UTC 
Continuing in bz#2182643 where there is the most of information available.

*** This bug has been marked as a duplicate of bug 2182643 ***