Bug 2190331

Summary: SELinux prevents mount.cifs, request-key and cifs.idmap
Product: [Fedora] Fedora Reporter: Huanian Li <huanli>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-11 20:05:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Huanian Li 2023-04-28 00:34:21 UTC 
When we run CIFS Connectathon test suite, we found the error message in avc.log, e.g.
time->Tue Apr  4 11:58:59 2023
type=AVC msg=audit(1680623939.151:507): avc:  denied  { execute } for  pid=147313 comm="request-key" name="cifs.idmap" dev="dm-0" ino=17287916 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Tue Apr  4 11:58:59 2023
type=AVC msg=audit(1680623939.151:508): avc:  denied  { execute_no_trans } for  pid=147313 comm="request-key" path="/usr/sbin/cifs.idmap" dev="dm-0" ino=17287916 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Tue Apr  4 11:58:59 2023
type=AVC msg=audit(1680623939.151:509): avc:  denied  { map } for  pid=147313 comm="cifs.idmap" path="/usr/sbin/cifs.idmap" dev="dm-0" ino=17287916 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

...<snip>...


For details, please refer to:
o https://datawarehouse.cki-project.org/kcidb/tests/7698385
o https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/issues/1525

Reproducible: Always

Steps to Reproduce:
1. wget -O /tmp/foo.xml https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/827640525/test%20ppc64le/4058794824/artifacts/testid6/beaker.xml
2. bkr job-submit /tmp/foo.xml
Actual Results:  
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.9-1.fc39.noarch
----
time->Tue Apr  4 11:58:59 2023
type=AVC msg=audit(1680623939.151:507): avc:  denied  { execute } for  pid=147313 comm="request-key" name="cifs.idmap" dev="dm-0" ino=17287916 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Tue Apr  4 11:58:59 2023
type=AVC msg=audit(1680623939.151:508): avc:  denied  { execute_no_trans } for  pid=147313 comm="request-key" path="/usr/sbin/cifs.idmap" dev="dm-0" ino=17287916 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Tue Apr  4 11:58:59 2023
type=AVC msg=audit(1680623939.151:509): avc:  denied  { map } for  pid=147313 comm="cifs.idmap" path="/usr/sbin/cifs.idmap" dev="dm-0" ino=17287916 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

...<snip>...



Expected Results:  
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.9-1.fc39.noarch

CKI DW ISSUE: https://datawarehouse.cki-project.org/issue/1797
Comment 1 Zdenek Pytela 2023-05-11 20:05:21 UTC 

*** This bug has been marked as a duplicate of bug 2182643 ***