Bug 1215885 - [SELinux] SMB: WIth selinux in enforcing mode the mount to a gluster volume on cifs fails with i/o error.
Summary: [SELinux] SMB: WIth selinux in enforcing mode the mount to a gluster volume o...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: samba
Version: rhgs-3.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: RHGS 3.1.0
Assignee: Jose A. Rivera
QA Contact: surabhi
URL:
Whiteboard: SELinux
Depends On: 1221929
Blocks: 1202842 1212796
TreeView+ depends on / blocked
 
Reported: 2015-04-28 05:18 UTC by surabhi
Modified: 2015-07-29 04:42 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.7.19-271.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-29 04:42:21 UTC
Target Upstream Version:


Attachments (Terms of Use)
AVC's for virt_migration and sysctl_net (4.13 MB, text/plain)
2015-05-15 09:20 UTC, surabhi
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1495 normal SHIPPED_LIVE Important: Red Hat Gluster Storage 3.1 update 2015-07-29 08:26:26 UTC

Description surabhi 2015-04-28 05:18:15 UTC
Description of problem:

While mounting a volume on linux cifs client or accessing the share via windows client fails when selinux is set to enforcing mode.

mount -t cifs serverip:/gluster-vol2 /mnt/samba/vol2
WARNING: using NFS syntax for mounting CIFS shares is deprecated and will be removed in cifs-utils-6.0. Please migrate to UNC syntax.
Password: 
mount error(5): Input/output error

snippet from avc logs:

type=AVC msg=audit(1430194961.550:7943): avc:  denied  { name_connect } for  pid=25381 comm="smbd" dest=24007 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=tcp_socket


type=AVC msg=audit(1430194961.550:7942): avc:  denied  { name_bind } for  pid=25381 comm="smbd" src=1023 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1430194961.550:7942): arch=c000003e syscall=49 success=no exit=-13 a0=22 a1=7fb5242c3150 a2=10 a3=726f702064657672 items=0 ppid=25113 pid=25381 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1187 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Do samba setup, create a volume , set selinux to enforcing mode
2. mount volume on cifs client or try accesing the share from windows client
3. 

Actual results:

Mount fails with input/output error.
AVC denied messages for smb to connect to port 24007


Expected results:
mount should succeed.no avc denials for connect should be present.


Additional info:

Comment 2 Prasanth 2015-04-28 12:42:08 UTC
Surabhi,

Thanks for sharing your test system. I've gone through the logs and did some basic troubleshooting around this issue and was able to narrow down to the issues given below that caused the mount to fail:

####
SELinux is preventing /usr/sbin/smbd from read access on the file

SELinux is preventing /usr/sbin/smbd from name_connect access on the tcp_socket
####

To unblock you temporarily, I've generated a couple of local policy modules and applied on your system. After activating those policy packages [1] and [2], I was able to successfully mount the volume. See below:

########
[root@dhcp ]# semodule -i mypol2.pp
[root@dhcp ]# mount -t cifs 10.16.159.154:/gluster-vol2 /mnt/samba/vol2
WARNING: using NFS syntax for mounting CIFS shares is deprecated and will be removed in cifs-utils-6.0. Please migrate to UNC syntax.
Password: 
[root@dhcp ]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_dhcp159154-lv_root
                       43G  8.1G   33G  20% /
tmpfs                  16G     0   16G   0% /dev/shm
/dev/vda1             477M   64M  389M  14% /boot
/dev/mapper/RHS_vg1-RHS_lv1
                       98G  560M   97G   1% /rhs/brick1
10.16.159.154:/gluster-vol2
                      389G  3.2G  386G   1% /mnt/samba/vol2
########


Local policy modules:

[1]
-----------
module mypol1 1.0;

require {
        type sysctl_net_t;
        type gluster_port_t;
        type smbd_t;
        class tcp_socket name_connect;
        class dir search;
}

#============= smbd_t ==============
allow smbd_t gluster_port_t:tcp_socket name_connect;
allow smbd_t sysctl_net_t:dir search;
-----------

[2]
-----------
module mypol2 1.0;

require {
        type sysctl_net_t;
        type smbd_t;
        type virt_migration_port_t;
        class tcp_socket name_connect;
        class file read;
}

#============= smbd_t ==============
allow smbd_t sysctl_net_t:file read;
allow smbd_t virt_migration_port_t:tcp_socket name_connect;
-----------

Please try running your rest of your tests in the same system and do let me know if you are able to proceed further or it fails elsewhere.


PS: Please note that these are just temporary local policy modules generated just to unblock your testing and hence please don't consider it as a permanent solution until you hear from the devel and SELinux teams. You should be definitely getting a proper fix for this issue soon from the samba devel or SELinux team.

Thanks,
Prasanth

Comment 3 Milos Malik 2015-04-29 11:26:11 UTC
The local policy modules are OK, but I would like to see the AVCs which contain virt_migration_port_t and sysctl_net_t. Could you attach them?

Comment 4 Miroslav Grepl 2015-05-15 09:04:44 UTC
Also could you create a policy bug for them?

Comment 5 surabhi 2015-05-15 09:12:26 UTC
The AVC logs are as follows:

type=AVC msg=audit(1428576324.441:349): avc:  denied  { name_connect } for  pid=14176 comm="smbd" dest=49152 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:virt_migration_port_t:s0 tclass=tcp_socket


type=AVC msg=audit(1428649951.586:1250): avc:  denied  { search } for  pid=29022 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

Creating policy bug.

Comment 6 surabhi 2015-05-15 09:20:52 UTC
Created attachment 1025720 [details]
AVC's for virt_migration and sysctl_net

Comment 7 Miroslav Grepl 2015-05-15 09:30:12 UTC
(In reply to Miroslav Grepl from comment #4)
> Also could you create a policy bug for them?

I meant this comment.

Comment 8 surabhi 2015-05-15 09:36:11 UTC
Created BZ 1221929. Let me know if you need any other info in the bug.

Comment 9 surabhi 2015-05-25 09:38:49 UTC
As per selinux dev the fix for this is to be done while building rpm for samba for rhgs.
The following boolean is to be set:
set boolean Setsebool -P samba_load_libgfapi 1.

Comment 10 surabhi 2015-06-08 13:18:12 UTC
Install RHEl6.7, Install downstream gluster rpms,
Install latest samba rpms's 
install selinux latest rpms: selinux-policy-3.7.19-271.el6

start a volume , mount it on cifs.
There are no AVC's seen related to smb and mount succeeded.
Marking the BZ to verified.

Comment 11 errata-xmlrpc 2015-07-29 04:42:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html


Note You need to log in before you can comment on or make changes to this bug.