Bug 634945

Summary: smbcontrol doesn't work because selinux denies it access to pid files
Product: Red Hat Enterprise Linux 6 Reporter: Ales Zelinka <azelinka>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: dwalsh, mmalik, snagar
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-56.el6 Doc Type: Bug Fix
Doc Text:
Due to incorrect SELinux policy, smbcontrol, a utility that sends messages to the smbd, nmbd, or winbindd service, did not work properly. This error has been fixed, the relevant policy code has been added, and SELinux no longer prevents smbcontrol from working.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:55:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 644807    

Description Ales Zelinka 2010-09-17 12:08:47 UTC 
Description of problem:
$ smbcontrol nmbd debug 1
Can't find pid for destination 'nmbd'

type=AVC msg=audit(1284724741.570:42187): avc:  denied  { open } for  pid=4111 comm="smbcontrol" name="nmbd.pid" dev=dm-0 ino=267506 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nmbd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1284724741.570:42187): arch=40000003 syscall=5 success=no exit=-13 a0=1967d78 a1=8800 a2=0 a3=bfa5e638 items=0 ppid=3841 pid=4111 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=117 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)

the same for smbd service

In permissive mode:
type=AVC msg=audit(1284724914.782:42202): avc:  denied  { read } for  pid=4135 comm="smbcontrol" name="smbd.pid" dev=dm-0 ino=267509 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:smbd_var_run_t:s0 tclass=file
type=AVC msg=audit(1284724914.782:42202): avc:  denied  { open } for  pid=4135 comm="smbcontrol" name="smbd.pid" dev=dm-0 ino=267509 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:smbd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1284724914.782:42202): arch=40000003 syscall=5 success=yes exit=7 a0=1812d78 a1=8800 a2=0 a3=bff26638 items=0 ppid=3841 pid=4135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=117 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1284724914.782:42203): avc:  denied  { signull } for  pid=4135 comm="smbcontrol" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:smbd_t:s0 tclass=process
type=SYSCALL msg=audit(1284724914.782:42203): arch=40000003 syscall=37 success=yes exit=0 a0=f20 a1=0 a2=eb3ff4 a3=f20 items=0 ppid=3841 pid=4135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=117 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1284724914.783:42204): avc:  denied  { lock } for  pid=4135 comm="smbcontrol" path="/var/run/smbd.pid" dev=dm-0 ino=267509 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:smbd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1284724914.783:42204): arch=40000003 syscall=221 success=no exit=-11 a0=7 a1=d a2=bff26088 a3=eb7fe0 items=0 ppid=3841 pid=4135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=117 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)



Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-54.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. start smb service
2. run smbcontrol smbd debug 5
Comment 3 Daniel Walsh 2010-09-17 13:34:26 UTC 
Miroslav, these  should look like


allow smbcontrol_t nmbd_t:process { signal signull };
allow smbcontrol_t nmbd_var_run_t:file read_files_pattern;

allow smbcontrol_t smbd_t:process { signal signull };
allow smbcontrol_t smbd_var_run_t:file read_files_pattern;
allow smbcontrol_t winbind_t:process { signal signull };
Comment 4 Milos Malik 2010-09-17 13:40:36 UTC 
Automated test also found this:
----
time->Fri Sep 17 15:35:45 2010
type=SYSCALL msg=audit(1284730545.500:438): arch=40000003 syscall=33 success=no exit=-13 a0=bfad5897 a1=4 a2=e15ff4 a3=ffffffac items=0 ppid=14732 pid=14733 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1284730545.500:438): avc:  denied  { read } for  pid=14733 comm="winbindd" name="unix" dev=proc ino=4026531990 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
Comment 6 Milos Malik 2010-09-17 14:17:50 UTC 
I added some smbcontrol commands to the automated test and new AVC appeared:
----
time->Fri Sep 17 16:11:36 2010
type=SYSCALL msg=audit(1284732696.170:654): arch=40000003 syscall=37 success=no exit=-13 a0=4fbc a1=a a2=c7eff4 a3=123f498 items=0 ppid=1 pid=20227 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1284732696.170:654): avc:  denied  { signal } for  pid=20227 comm="winbindd" scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=process
----

What does a constraint violation mean in this context?

# ausearch -m avc -ts recent | audit2allow

#============= smbcontrol_t ==============
allow smbcontrol_t nmbd_var_run_t:file open;
allow smbcontrol_t smbd_var_run_t:file read;

#============= winbind_t ==============
allow winbind_t proc_net_t:file read;
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow winbind_t smbcontrol_t:process signal;
Comment 7 Miroslav Grepl 2010-09-17 14:20:06 UTC 
The problem is the smbcontrol is executed by hand. So there is a transition from unconfined which is running with MCS label of s0-s0:c0.c1023 and smbcontrol_t ends up with the same MCS label.

Not sure how we can handle this.
Comment 8 Milos Malik 2010-09-17 14:29:10 UTC 
Together 3 constraint violation AVCs were found in permissive mode:
----
time->Fri Sep 17 16:21:13 2010
type=SYSCALL msg=audit(1284733273.996:688): arch=40000003 syscall=37
success=yes exit=0 a0=52fd a1=a a2=e73ff4 a3=209d9f0 items=0 ppid=1 pid=21182
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0
key=(null)
type=AVC msg=audit(1284733273.996:688): avc:  denied  { signal } for  pid=21182
comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0
tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Sep 17 16:21:25 2010
type=SYSCALL msg=audit(1284733285.560:690): arch=40000003 syscall=37
success=yes exit=0 a0=5329 a1=a a2=936ff4 a3=192b938 items=0 ppid=1 pid=21202
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0
key=(null)
type=AVC msg=audit(1284733285.560:690): avc:  denied  { signal } for  pid=21202
comm="nmbd" scontext=unconfined_u:system_r:nmbd_t:s0
tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Sep 17 16:21:36 2010
type=SYSCALL msg=audit(1284733296.880:691): arch=40000003 syscall=37
success=yes exit=0 a0=5353 a1=a a2=eafff4 a3=1a95498 items=0 ppid=1 pid=21221
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="winbindd" exe="/usr/sbin/winbindd"
subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1284733296.880:691): avc:  denied  { signal } for  pid=21221
comm="winbindd" scontext=unconfined_u:system_r:winbind_t:s0
tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=process
----
Comment 11 Daniel Walsh 2010-09-22 20:57:36 UTC 
Miroslav, grab the changes I made to f14 involving


mcs_untrusted_proc
mcsuntrustedproc

Should fix this problem.
Comment 12 Miroslav Grepl 2010-09-23 10:46:05 UTC 
Dan,
the fix works. Thanks.
Comment 13 Miroslav Grepl 2010-10-06 08:35:45 UTC 
Fixed in selinux-policy-3.7.19-56.el6.noarch.
Comment 15 Jaromir Hradilek 2010-10-21 08:53:05 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to incorrect SELinux policy, smbcontrol, a utility that sends messages to the smbd, nmbd, or winbindd service, did not work properly. This error has been fixed, the relevant policy code has been added, and SELinux no longer prevents smbcontrol from working.
Comment 18 errata-xmlrpc 2011-05-19 11:55:14 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html