Bug 741967

Summary: SE Linux policies for Clustered Samba commands
Product: Red Hat Enterprise Linux 6 Reporter: Nate Straz <nstraz>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-116.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 719738 Environment:
Last Closed: 2011-12-06 10:19:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 719738    
Bug Blocks: 672641    
Attachments:
Description Flags
ausearch output from dash-01
none
AVCs seen when running the automated test in permissive mode none

Description Nate Straz 2011-09-28 15:54:15 UTC 
+++ This bug was initially created as a clone of Bug #719738 +++

I found another command that doesn't work when selinux is enabled with clustering on in samba.  smbcontrol needs access to ctdb.socket.


type=AVC msg=audit(1317220776.455:50562): avc:  denied  { write } for  pid=11780 comm="smbcontrol" name="ctdb.socket" dev=dm-0 ino=1831426 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file

--- Additional comment from dwalsh on 2011-09-28 11:33:42 EDT ---

That is a different bug.

Miroslav lets add

optional_policy(`
	ctdbd_stream_connect(smbcontrol_t)
')

I think the rest of the bug reported here is fixed in the latest RHEL6 policy?
Comment 1 Nate Straz 2011-09-28 16:01:02 UTC 
Looking through audit.log shows that winbindd probably needs the same policy change.

type=AVC msg=audit(1317076246.144:48811): avc:  denied  { write } for  pid=5425 comm="winbindd" name="ctdb.socket" dev=dm-0 ino=1831426 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file
Comment 3 Daniel Walsh 2011-09-28 19:32:59 UTC 
Do you know if these actual programs need to talk to this socket?  Or could this be a leak?  Can you attach the full output of 

ausearch -m avc
Comment 4 Nate Straz 2011-09-28 19:51:52 UTC 
Created attachment 525391 [details]
ausearch output from dash-01

Yeah, I'm pretty sure they do.  I was trying to reload the samba config with smbcontrol and CTDB also manages winbindd when asked to.
Comment 5 Miroslav Grepl 2011-09-29 07:38:46 UTC 
Ok, I will add it. 

For other AVC msgs, AFAIK we discussed it in

https://bugzilla.redhat.com/show_bug.cgi?id=719738

and you need to run all needed steps in this bug and also please test it with the latest policy. Thanks.
Comment 6 Milos Malik 2011-09-29 08:08:21 UTC 
Both nmbd and winbindd need a change in policy:

# ausearch -m avc -m user_avc -ts today -i
----
type=PATH msg=audit(09/29/2011 10:04:31.134:152) : item=0 name=(null) inode=18340 dev=fd:00 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ctdbd_tmp_t:s0 
type=SOCKADDR msg=audit(09/29/2011 10:04:31.134:152) : saddr=local /tmp/ctdb.socket 
type=SOCKETCALL msg=audit(09/29/2011 10:04:31.134:152) : nargs=3 a0=7 a1=bfd1a98e a2=6e 
type=SYSCALL msg=audit(09/29/2011 10:04:31.134:152) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd1a900 a2=c64ff4 a3=16cdd68 items=1 ppid=14549 pid=14550 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=winbindd exe=/usr/sbin/winbindd subj=unconfined_u:system_r:winbind_t:s0 key=(null) 
type=AVC msg=audit(09/29/2011 10:04:31.134:152) : avc:  denied  { write } for  pid=14550 comm=winbindd name=ctdb.socket dev=dm-0 ino=18340 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file 
----
type=PATH msg=audit(09/29/2011 10:05:56.610:153) : item=0 name=(null) inode=18340 dev=fd:00 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ctdbd_tmp_t:s0 
type=SOCKADDR msg=audit(09/29/2011 10:05:56.610:153) : saddr=local /tmp/ctdb.socket 
type=SOCKETCALL msg=audit(09/29/2011 10:05:56.610:153) : nargs=3 a0=7 a1=bfd4777e a2=6e 
type=SYSCALL msg=audit(09/29/2011 10:05:56.610:153) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd476f0 a2=100cff4 a3=196cd80 items=1 ppid=14913 pid=14914 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=nmbd exe=/usr/sbin/nmbd subj=unconfined_u:system_r:nmbd_t:s0 key=(null) 
type=AVC msg=audit(09/29/2011 10:05:56.610:153) : avc:  denied  { write } for  pid=14914 comm=nmbd name=ctdb.socket dev=dm-0 ino=18340 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file 
#
Comment 7 Miroslav Grepl 2011-09-29 08:35:39 UTC 
Make sense
Comment 8 Milos Malik 2011-09-29 09:20:50 UTC 
Created attachment 525494 [details]
AVCs seen when running the automated test in permissive mode
Comment 9 Miroslav Grepl 2011-09-29 10:21:44 UTC 
I am fixing them.
Comment 10 Miroslav Grepl 2011-10-03 14:00:35 UTC 
Fixed in selinux-policy-3.7.19-114.el6
Comment 13 Miroslav Grepl 2011-10-07 07:36:11 UTC 
Ok, I found a typo in the samba policy file.
Comment 14 Miroslav Grepl 2011-10-12 18:18:34 UTC 
Fixed in selinux-policy-3.7.19-116.el6
Comment 16 errata-xmlrpc 2011-12-06 10:19:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html