Bug 2210771

Can you describe the scenario so that we can ensure no additional denials appear?

Discussed also with Andreas Schneider. Denis will create a test using virtual PDF Printer:
https://wiki.samba.org/index.php/Virtual_PDF_Printer

Note that we have a config change at one point to use /var/tmp as the directory for temporary printing files.

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No


So the dcerpc process needs to be able to write to /var/tmp

I've added support for using private tmp files in rawhide. You can try the rawhide scratchbuild
https://github.com/fedora-selinux/selinux-policy/pull/1807
Checks -> Artifacts -> rpms.zip

Note from SELinux PoV there is no difference between /tmp and /var/tmp.

As of writing the following Samba configuration is used:

$ cat /etc/samba/smb.conf
[global]
	workgroup = SAMBA
	security = user
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes

[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @printadmin root
	force group = @printadmin
	create mask = 0664
	directory mask = 0775

[opsi_depot]
	available = yes
	comment = opsi depot share (ro)
	path = /var/lib/opsi/depot
	follow symlinks = yes
	writeable = no
	invalid users = root
	acl allow execute always = true

[opsi_depot_rw]
	available = yes
	comment = opsi depot share (rw)
	path = /var/lib/opsi/depot
	follow symlinks = yes
	writeable = yes
	invalid users = root

[opsi_images]
	available = yes
	comment = opsi ntfs images share (rw)
	path = /var/lib/opsi/ntfs-images
	writeable = yes
	invalid users = root

[opsi_workbench]
	available = yes
	comment = opsi workbench
	path = /var/lib/opsi/workbench
	writeable = yes
	invalid users = root
	create mask = 0660
	directory mask = 0770

[opsi_repository]
	available = yes
	comment = opsi repository share (ro)
	path = /var/lib/opsi/repository
	follow symlinks = yes
	writeable = no
	invalid users = root

[opsi_logs]
	available = yes
	comment = opsi logs share (ro)
	path = /var/log/opsi
	follow symlinks = yes
	writeable = no
	invalid users = root

[opsi_secrets$]
	available = yes
 	comment = local admin passwords (rw)
	path = /var/lib/opsi/secrets
	writable = yes
	invalid users = root
	follow symlinks = yes
$ 

There is no CUPS on the system installed (only cups-client-2.2.6-51.el8.x86_64, cups-libs-2.2.6-51.el8.x86_64).

A specific AVC denied message (where we do not know how to reproduce) that we see is:

type=AVC msg=audit(1690789093.891:70053): avc:  denied  { ioctl } for  pid=516629 comm="samba-dcerpcd" path="/var/lib/opsi/depot" dev="sdb1" ino=268820800 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1690789093.891:70053): arch=c000003e syscall=59 success=yes exit=0 a0=56406679f040 a1=56406679f5b0 a2=564066770550 a3=8 items=0 ppid=516533 pid=516629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=EXECVE msg=audit(1690789093.891:70053): argc=5 a0="/usr/libexec/samba/samba-dcerpcd" a1="--libexec-rpcds" a2="--ready-signal-fd=31" a3="--np-helper" a4="--debuglevel=0"
type=PROCTITLE msg=audit(1690789093.891:70053): proctitle=2F7573722F6C6962657865632F73616D62612F73616D62612D64636572706364002D2D6C6962657865632D7270636473002D2D72656164792D7369676E616C2D66643D3331002D2D6E702D68656C706572002D2D64656275676C6576656C3D30

Given the SELinux boolean samba_enable_home_dirs grants since RHEL 8.8 a lot to winbind_rpcd_t (resulting from other RHBZs), where is the issue to do the equivalent for samba_export_all_rw (and samba_export_all_ro)? Beause right now the latter two SELinux booleans grant nothing to winbind_rpcd_t.

I've been pointed by CEE/GSS based on case #03449210 to this bug report, but I can not see how https://github.com/fedora-selinux/selinux-policy/commit/2a1568bd76aa0959e4e02d95716b24b8d7f35ab3 (= selinux-policy-3.14.3-125.el8) would address our issue from comment #10 (which is the main issue of case #03449210).

Given it feels like some Red Hat people mixed up two different issues in the same RHBZ, I would like to try to clarify this: Red Hat pointed us from case 03449210 to this RHBZ. We only care about the AVC denied messages in comment #10, our Samba configuration is exactly as in comment #10 - and we do not use any printing and we can not answer any printing related questions.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091