Bug 2307812
| Summary: | avc denials with samba's "io_uring" module | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Kinni <matt> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 40 | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-40.28-1.fc40 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-10-08 01:38:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
FEDORA-2024-75212378ea (selinux-policy-40.28-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-75212378ea FEDORA-2024-75212378ea has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-75212378ea` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-75212378ea See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-75212378ea (selinux-policy-40.28-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. |
Hello, I am getting the following denials accessing a samba share with "vfs objects = io_uring" enabled: [root@fedora-4gb-nbg1-2 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=AVC msg=audit(08/25/2024 22:56:47.375:253) : avc: denied { create } for pid=1244 comm=smbd[127.0.0.1] anonclass=[io_uring] scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- type=AVC msg=audit(08/25/2024 22:56:47.375:254) : avc: denied { map } for pid=1244 comm=smbd[127.0.0.1] path=anon_inode:[io_uring] dev="anon_inodefs" ino=11089 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- type=AVC msg=audit(08/25/2024 22:56:47.375:255) : avc: denied { read write } for pid=1244 comm=smbd[127.0.0.1] path=anon_inode:[io_uring] dev="anon_inodefs" ino=11089 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 Reproducible: Always Steps to Reproduce: 1. dnf install samba samba-client samba-vfs-iouring policycoreutils-python-utils 2. mkdir /srv/share1 && chmod 777 /srv/share1 3. semanage fcontext -a -t samba_share_t '/srv(/.*)' && restorecon /srv/share1 4. In /etc/samba/smb.conf: [global] workgroup = SAMBA security = user map to guest = Bad Password passdb backend = tdbsam server multi channel support = no server smb encrypt = no vfs objects = streams_xattr io_uring [share1] path = /srv/share1 available = yes browseable = yes writeable = yes guest ok = yes 5. systemctl start smb 6. setenforce 0 and then perform the following simple test to gather the denials: touch myfile smbclient --no-pass \\\\localhost\\share1 smb: \> put myfile smb: \> get myfile smb: \> quit Actual Results: AVC denials that block accessing the share if selinux is Enforcing Expected Results: No AVC denial The repro steps were performed on a fresh F40 Hetzner VM with the following: - selinux-policy-targeted-40.27-1.fc40.noarch - kernel-core-6.10.6-200.fc40.x86_64