Bug 1221929 - [SELinux] Update SELinux policies for samba (connect and read access)in RHEL6.6
Summary: [SELinux] Update SELinux policies for samba (connect and read access)in RHEL6.6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: Unspecified
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1212796 1215885
TreeView+ depends on / blocked
 
Reported: 2015-05-15 09:33 UTC by surabhi
Modified: 2015-07-22 07:14 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.7.19-268.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-22 07:14:15 UTC
Target Upstream Version:


Attachments (Terms of Use)
.pp and .te file (684 bytes, application/x-gzip)
2015-05-18 10:20 UTC, surabhi
no flags Details
AVC's for samba (35.73 KB, text/plain)
2015-05-18 12:26 UTC, surabhi
no flags Details
all denials caught in enforcing mode on the test machine (26.82 KB, text/plain)
2015-05-18 13:32 UTC, Milos Malik
no flags Details
first we tested in enforcing mode and here are the AVCs (154.78 KB, text/plain)
2015-05-20 12:06 UTC, Milos Malik
no flags Details
then we tested in permissive mode and here are the AVCs (6.58 KB, text/plain)
2015-05-20 12:07 UTC, Milos Malik
no flags Details
latest AVC's for smbd (485.70 KB, text/plain)
2015-05-22 11:44 UTC, surabhi
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1375 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-07-20 18:07:47 UTC

Description surabhi 2015-05-15 09:33:35 UTC
Description of problem:

RHS is a layered product on top of RHEL that provides more advanced versions of Samba and CTDB (4.1.14 and 2.5.4, respectively, in the latest release). The SELinux policies should be extended to cover the needs of these versions (in addition to the current RHEL6.6 versions).

On RHEL6.6 , the mount of gluster volume fails on cifs client because of following:

SELinux is preventing /usr/sbin/smbd from read access on the file

SELinux is preventing /usr/sbin/smbd from name_connect access on the tcp_socket

The AVC's are as follows:

type=AVC msg=audit(1430194961.550:7943): avc:  denied  { name_connect } for  pid=25381 comm="smbd" dest=24007 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1430194961.550:7942): avc:  denied  { name_bind } for  pid=25381 comm="smbd" src=1023 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1428576324.441:349): avc:  denied  { name_connect } for  pid=14176 comm="smbd" dest=49152 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:virt_migration_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1428649951.586:1250): avc:  denied  { search } for  pid=29022 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

Comment 2 surabhi 2015-05-18 10:20:06 UTC
Created attachment 1026645 [details]
.pp and .te file

Comment 3 surabhi 2015-05-18 12:26:50 UTC
Created attachment 1026677 [details]
AVC's for samba

Comment 4 Miroslav Grepl 2015-05-18 12:59:02 UTC
Any idea why

type=AVC msg=audit(1431930685.533:100): avc:  denied  { name_bind } for  pid=6458 comm="smbd" src=1023 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

is needed. 

Did you change it?

Comment 5 Milos Malik 2015-05-18 13:26:03 UTC
# find /var/lib/glusterd/ -type f -name \*.sh | xargs chcon -t bin_t
#

Above-mentioned command and following policy module solved majority of AVCs:

# cat mypolicy.te 

module mypolicy 1.0;

require {
	type gluster_port_t;
	type glusterd_t;
	type hi_reserved_port_t;
	type smbd_t;
	type sysctl_net_t;
	type glusterd_conf_t;
	type virt_migration_port_t;
	class process signal;
	class dir search;
	class tcp_socket { name_bind name_connect };
        class file { getattr open read };
}

allow glusterd_t smbd_t:process signal;
allow smbd_t gluster_port_t:tcp_socket name_connect;
allow smbd_t glusterd_conf_t:dir search;
allow smbd_t hi_reserved_port_t:tcp_socket name_bind;
allow smbd_t sysctl_net_t:dir search;
allow smbd_t sysctl_net_t:file { getattr open read };
allow smbd_t virt_migration_port_t:tcp_socket name_connect;

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
# semodule -i mypolicy.pp
#

Comment 6 surabhi 2015-05-18 13:28:31 UTC
smbd always uses port 445.

However, smbd loads libgfapi from gluster. This library picks up any free
port starting from lowest port to highest. ( mostly 1 - 65535). This is not
a default port number, it could very well be 980 or 5000.

Comment 7 Milos Malik 2015-05-18 13:32:16 UTC
Created attachment 1026709 [details]
all denials caught in enforcing mode on the test machine

Comment 8 Miroslav Grepl 2015-05-19 10:57:37 UTC
commit a30bb467a268e913e44c43a20d486a9e6ebba126
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue May 19 12:50:03 2015 +0200

    Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.

Comment 9 Raghavendra Talur 2015-05-19 11:50:24 UTC
Regarding,
 Allow smbd to read gluster config files by default:

Did you mean otherwise? Allow gluster to read smb config files by default?
Because it is gluster scripts which edit smb.conf.


Regarding,
new boolean samba_load_libgfapi, I did not understand that. What does it do?

Comment 10 Miroslav Grepl 2015-05-19 13:25:35 UTC
Could you please test it with

https://brewweb.devel.redhat.com/taskinfo?taskID=9198180

Comment 11 Miroslav Grepl 2015-05-19 13:28:12 UTC
(In reply to Raghavendra Talur from comment #9)
> Regarding,
>  Allow smbd to read gluster config files by default:
> 
> Did you mean otherwise? Allow gluster to read smb config files by default?
> Because it is gluster scripts which edit smb.conf.

Well I don't see AVCs related to write access to smb.conf. Could you please re-test it with given rpms?

> 
> 
> Regarding,
> new boolean samba_load_libgfapi, I did not understand that. What does it do?

We don't want to allow smbd_t to connect/bind to all ports. You need to turn samba_load_libgfapi boolean on to allow it.

Comment 12 Raghavendra Talur 2015-05-19 14:35:15 UTC
(In reply to Miroslav Grepl from comment #11)
> (In reply to Raghavendra Talur from comment #9)
> > Regarding,
> >  Allow smbd to read gluster config files by default:
> > 
> > Did you mean otherwise? Allow gluster to read smb config files by default?
> > Because it is gluster scripts which edit smb.conf.
> 
> Well I don't see AVCs related to write access to smb.conf. Could you please
> re-test it with given rpms?

We will test and get back to you.

> 
> > 
> > 
> > Regarding,
> > new boolean samba_load_libgfapi, I did not understand that. What does it do?
> 
> We don't want to allow smbd_t to connect/bind to all ports. You need to turn
> samba_load_libgfapi boolean on to allow it.

This makes sense.

Thanks!

Comment 13 Miroslav Grepl 2015-05-20 09:24:38 UTC
Please use the following builds from

https://brewweb.devel.redhat.com/taskinfo?taskID=9210928

Comment 14 Milos Malik 2015-05-20 11:32:06 UTC
Some AVCs appeared during the testing with -268.el6 policy. To get rid of them following changes were done:

1) via semanage and restorecon
/var/run/ctdb(/.*)?                                all files          system_u:object_r:ctdbd_var_run_t:s0 

2) via semodule
# cat mypolicy2.te 

module mypolicy2 1.0;

require {
	type samba_net_t;
	type ctdbd_var_run_t;
	type ctdbd_var_lib_t;
	type iptables_t;
	type smbd_t;
	class sock_file { write getattr };
	class file read;
}

allow iptables_t ctdbd_var_lib_t:file read;
allow samba_net_t ctdbd_var_run_t:sock_file { write getattr };
allow smbd_t ctdbd_var_run_t:sock_file write;
#

Comment 15 surabhi 2015-05-20 11:34:43 UTC
Tried the build provided in #C13 ,
The issues related to smb service start, mount of gluster volume and hooks script are not seen with the fix.

Saw following issues related to ctdb:
type=AVC msg=audit(05/20/2015 10:43:01.894:2553) : avc:  denied  { write } for  pid=18849 comm=net name=ctdbd.socket dev=dm-0 ino=784872 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file 

type=AVC msg=audit(05/20/2015 10:46:48.983:2584) : avc:  denied  { read } for  pid=23139 comm=iptables path=/var/lib/ctdb/iptables-ctdb.flock dev=dm-0 ino=784906 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file 


Worked with Milos and he provided temporary fix so was able to continue testing from there.

Comment 16 Miroslav Grepl 2015-05-20 11:37:46 UTC
Any change to run it also in permissive mode?

Comment 17 surabhi 2015-05-20 11:57:37 UTC
While running in permissive mode,stop of ctdb/smb service throws following AVC:

type=AVC msg=audit(05/20/2015 11:50:35.957:2659) : avc:  denied  { getattr } for  pid=23451 comm=net path=/var/lib/ctdb/serverid.tdb.0 dev=dm-0 ino=784904 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file

Comment 18 Milos Malik 2015-05-20 12:03:54 UTC
Some AVCs appeared in permissive mode. Following rules were suggested by audit2allow:

allow samba_net_t ctdbd_t:unix_stream_socket connectto;
allow samba_net_t ctdbd_var_lib_t:file { write getattr setattr read lock open };

Comment 19 Milos Malik 2015-05-20 12:06:32 UTC
Created attachment 1027682 [details]
first we tested in enforcing mode and here are the AVCs

Comment 20 Milos Malik 2015-05-20 12:07:42 UTC
Created attachment 1027683 [details]
then we tested in permissive mode and here are the AVCs

Comment 22 Jose A. Rivera 2015-05-20 16:13:15 UTC
Just hopping in to say LGTM! :) The rules look sane and correct.

Comment 23 surabhi 2015-05-22 11:44:53 UTC
Created attachment 1028708 [details]
latest AVC's for smbd

Comment 24 surabhi 2015-05-26 10:44:01 UTC
Tried with build https://brewweb.devel.redhat.com/buildinfo?buildID=436995:

Still see following AVC's:

type=AVC msg=audit(05/26/2015 02:52:04.043:139) : avc:  denied  { write } for  pid=8522 comm=net name=ctdbd.socket dev=dm-0 ino=654184 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file 

type=AVC msg=audit(05/26/2015 02:52:04.045:140) : avc:  denied  { getattr } for  pid=8522 comm=net path=/var/run/ctdb/ctdbd.socket dev=dm-0 ino=654184 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file 

type=AVC msg=audit(05/26/2015 10:36:21.655:739) : avc:  denied  { search } for  pid=26651 comm=smbd name=ctdb dev=dm-0 ino=261321 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=dir 

type=AVC msg=audit(05/26/2015 10:36:21.656:740) : avc:  denied  { open } for  pid=26651 comm=smbd name=secrets.tdb.0 dev=dm-0 ino=532359 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file 

type=AVC msg=audit(05/26/2015 10:36:21.656:741) : avc:  denied  { lock } for  pid=26651 comm=smbd path=/var/lib/ctdb/persistent/secrets.tdb.0 dev=dm-0 ino=532359 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file 

type=AVC msg=audit(05/26/2015 10:36:21.656:742) : avc:  denied  { getattr } for  pid=26651 comm=smbd path=/var/lib/ctdb/persistent/secrets.tdb.0 dev=dm-0 ino=532359 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_lib_t:s0 tclass=file

Comment 25 surabhi 2015-05-28 07:56:33 UTC
With the latest build provided by selinux :

still seeing following AVC's:

type=AVC msg=audit(05/27/2015 12:14:28.880:2282) : avc:  denied  { write } for  pid=5851 comm=smbd name=ctdbd.socket dev=dm-0 ino=532335 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file 
type=AVC msg=audit(05/27/2015 12:14:28.880:2282) : avc:  denied  { search } for  pid=5851 comm=smbd name=ctdb dev=dm-0 ino=532320 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:ctdbd_var_run_t:s0 tclass=dir

Comment 27 surabhi 2015-05-28 10:41:48 UTC
With the latest build provided today by Miroslav :
https://brewweb.devel.redhat.com/buildinfo?buildID=437561

None of the AVC's are seen for gluster-samba.
Verified with both enforcing mode and permissive mode.

This is been verified on RHEL6.7. Need a backport for RHEL6.6 and fix is required for RHEL7.1 as well.

Comment 29 errata-xmlrpc 2015-07-22 07:14:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html


Note You need to log in before you can comment on or make changes to this bug.