Bug 2231737
| Summary: | SELinux is preventing cifs.upcall from using the 'sys_admin' capabilities. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James <james> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 38 | CC: | dwalsh, james, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:b4605907cb77df401ac5573d2e0df8500432a1b1c41b77313378a73b8072cfb8;VARIANT_ID=workstation; | ||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | Type: | --- | |||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1983216 [details]
File: description
Created attachment 1983217 [details]
File: os_info
Note that there's a pattern of alerts related to cifs.upcall -- this is the .te file generated by audit2allow in this case:
module my-cifsupcall 1.0;
require {
type syslogd_var_run_t;
type nsfs_t;
type mount_t;
type kerberos_port_t;
type keyutils_request_t;
type sssd_public_t;
type sssd_t;
type cert_t;
type sssd_var_run_t;
type kernel_t;
type bin_t;
type cifs_helper_t;
type krb5_conf_t;
type passwd_file_t;
type init_var_run_t;
type sssd_var_lib_t;
type devlog_t;
class file { getattr map open read };
class lnk_file read;
class sock_file write;
class dir { getattr open read search };
class unix_dgram_socket sendto;
class process setcap;
class capability { setgid setuid sys_admin sys_chroot sys_ptrace };
class tcp_socket { connect create getopt name_connect setopt };
class unix_stream_socket connectto;
}
#============= cifs_helper_t ==============
allow cifs_helper_t self:capability { sys_admin sys_ptrace };
allow cifs_helper_t sssd_var_run_t:sock_file write;
#============= keyutils_request_t ==============
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow keyutils_request_t bin_t:file map;
allow keyutils_request_t cert_t:dir search;
allow keyutils_request_t cert_t:file { getattr open read };
#!!!! This avc is allowed in the current policy
allow keyutils_request_t devlog_t:lnk_file read;
#!!!! This avc is allowed in the current policy
allow keyutils_request_t devlog_t:sock_file write;
#!!!! This avc is allowed in the current policy
allow keyutils_request_t init_var_run_t:dir search;
allow keyutils_request_t kerberos_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy
allow keyutils_request_t kernel_t:unix_dgram_socket sendto;
allow keyutils_request_t krb5_conf_t:file { getattr open read };
allow keyutils_request_t mount_t:dir search;
allow keyutils_request_t mount_t:file { open read };
allow keyutils_request_t mount_t:lnk_file read;
allow keyutils_request_t nsfs_t:file { getattr open read };
allow keyutils_request_t passwd_file_t:file { getattr open read };
allow keyutils_request_t self:capability { setgid setuid sys_chroot sys_ptrace };
allow keyutils_request_t self:process setcap;
allow keyutils_request_t self:tcp_socket { connect create getopt setopt };
allow keyutils_request_t sssd_public_t:dir { getattr open read search };
allow keyutils_request_t sssd_public_t:file { getattr open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow keyutils_request_t sssd_public_t:file map;
allow keyutils_request_t sssd_t:unix_stream_socket connectto;
allow keyutils_request_t sssd_var_lib_t:dir search;
allow keyutils_request_t sssd_var_run_t:sock_file write;
#!!!! This avc is allowed in the current policy
allow keyutils_request_t syslogd_var_run_t:dir search;
James, Do you know when these issues started to happen, like some particular update? Can you please gather more details with full auditing enabled? https://bugzilla.redhat.com/show_bug.cgi?id=2220943 I don't really know when it started (updated to selinux-policy-targeted-38.22-1.fc38.noarch from 38.21-1 on 1 Aug) since dnf won't allow me to downgrade, and I don't use SMB very often on this machine (mostly NFS).
The full audit data:
type=PROCTITLE msg=audit(15/08/23 22:30:08.434:1983) : proctitle=cifs.upcall 335004708
type=SYSCALL msg=audit(15/08/23 22:30:08.434:1983) : arch=x86_64 syscall=setns success=no exit=EPERM(Operation not permitted) a0=0x4 a1=CLONE_STOPPED a2=0x563a157a5040 a3=0x0 items=0 ppid=132135 pid=132502 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null)
type=AVC msg=audit(15/08/23 22:30:08.434:1983) : avc: denied { sys_admin } for pid=132502 comm=cifs.upcall capability=sys_admin scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=0
Kernel calltrace from perf:
cifs.upcall 132220 [013] 187746.482896: avc:selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontex>
ffffffff916e1a35 avc_audit_post_callback+0x205 ([kernel.kallsyms])
ffffffff916e1a35 avc_audit_post_callback+0x205 ([kernel.kallsyms])
ffffffff9170a922 common_lsm_audit+0x2b2 ([kernel.kallsyms])
ffffffff916e2d0c slow_avc_audit+0xbc ([kernel.kallsyms])
ffffffff916e7f1a cred_has_capability.isra.0+0x11a ([kernel.kallsyms])
ffffffff916dc234 security_capable+0x44 ([kernel.kallsyms])
ffffffff9111e02b ns_capable+0x2b ([kernel.kallsyms])
ffffffff91219e77 cgroupns_install+0x27 ([kernel.kallsyms])
ffffffff911459a4 __do_sys_setns+0x184 ([kernel.kallsyms])
ffffffff91f99360 do_syscall_64+0x60 ([kernel.kallsyms])
ffffffff920000f3 entry_SYSCALL_64_after_hwframe+0x77 ([kernel.kallsyms])
7f3a81945e2b setns+0xb (/usr/lib64/libc.so.6)
558bffe7ebd5 [unknown] (/usr/sbin/cifs.upcall)
7f3a81859b49 __libc_start_call_main+0x79 (/usr/lib64/libc.so.6)
7f3a81859c0a __libc_start_main@@GLIBC_2.34+0x8a (/usr/lib64/libc.so.6)
558bffe80064 [unknown] (/usr/sbin/cifs.upcall)
/sys/kernel/tracing/trace:
# entries-in-buffer/entries-written: 2/2 #P:16
#
# _-----=> irqs-off/BH-disabled
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / _-=> migrate-disable
# |||| / delay
# TASK-PID CPU# ||||| TIMESTAMP FUNCTION
# | | | ||||| | |
cifs.upcall-132286 [009] ..... 187807.205554: selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability
cifs.upcall-132286 [009] ..... 187807.205562: <stack trace>
=> trace_event_raw_event_selinux_audited
=> avc_audit_post_callback
=> common_lsm_audit
=> slow_avc_audit
=> cred_has_capability.isra.0
=> security_capable
=> ns_capable
=> cgroupns_install
=> __do_sys_setns
=> do_syscall_64
=> entry_SYSCALL_64_after_hwframe
|
Description of problem: Attempting to access an automounted SMB share using Kerberos credentials cached in sss-kcm. SELinux is preventing cifs.upcall from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that cifs.upcall should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cifs.upcall' --raw | audit2allow -M my-cifsupcall # semodule -X 300 -i my-cifsupcall.pp Additional Information: Source Context system_u:system_r:cifs_helper_t:s0 Target Context system_u:system_r:cifs_helper_t:s0 Target Objects Unknown [ capability ] Source cifs.upcall Source Path cifs.upcall Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.4.9-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Aug 8 21:21:11 UTC 2023 x86_64 Alert Count 1 First Seen 2023-08-13 18:32:36 BST Last Seen 2023-08-13 18:32:36 BST Local ID 10279626-0309-45ad-8835-28412f7d9fef Raw Audit Messages type=AVC msg=audit(1691947956.205:393): avc: denied { sys_admin } for pid=7870 comm="cifs.upcall" capability=21 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=0 Hash: cifs.upcall,cifs_helper_t,cifs_helper_t,capability,sys_admin Version-Release number of selected component: selinux-policy-targeted-38.24-1.fc38.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing cifs.upcall from using the 'sys_admin' capabilities. package: selinux-policy-targeted-38.24-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.4.9-200.fc38.x86_64 comment: Attempting to access an automounted SMB share using Kerberos credentials cached in sss-kcm. component: selinux-policy