RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1224879 - [SELinux] RHEL7:SMB:Update SELinux policies for samba in RHEL7.2
Summary: [SELinux] RHEL7:SMB:Update SELinux policies for samba in RHEL7.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1216941
Blocks: 1212796 1231942 1236980 1241095
TreeView+ depends on / blocked
 
Reported: 2015-05-26 05:59 UTC by Prasanth
Modified: 2015-11-19 10:35 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.13.1-32.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1216941
: 1231942 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:35:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
AVC logs (3.59 MB, text/plain)
2015-06-11 08:44 UTC, surabhi 		no flags Details
heart beat related denials? (605 bytes, text/plain)
2015-06-16 15:25 UTC, Raghavendra Talur 		no flags Details
mount related denials (1.04 KB, text/plain)
2015-06-16 15:26 UTC, Raghavendra Talur 		no flags Details
ctdb service related (41.81 KB, text/plain)
2015-06-16 15:27 UTC, Raghavendra Talur 		no flags Details
ctdb service related2 (6.15 KB, text/plain)
2015-06-16 15:28 UTC, Raghavendra Talur 		no flags Details
without samba install (2.65 KB, text/plain)
2015-06-16 15:28 UTC, Raghavendra Talur 		no flags Details
AVC's (2.74 MB, text/plain)
2015-07-15 08:11 UTC, surabhi 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Prasanth 2015-05-26 05:59:33 UTC 
+++ This bug was initially created as a clone of Bug #1216941 +++

Description of problem:

With selinux in enforcing mode, when we start the gluster volume , the samba start hook script fails to execute and dows not create share in smb.conf.

If we try to start smb service without using hook script the service smb start succeeds.

But if create a volume and start a volume after which it is expected that hook scripts will run and create samba share in smb.conf doesn't work and fails with following errors.

If the same test is run in permissive mode, the hook scripts executes successfully and share gets created in smb.conf

The error in glusterd logs are as follows:

[2015-04-29 06:30:16.070804] E [run.c:190:runner_log] (--> /lib64/libglusterfs.so.0(_gf_log_callingfn+0x186)[0x7f75bdd2c116] (--> /lib64/libglusterfs.so.0(runner_log+0xfc)[0x7f75bdd7919c] (--> /usr/lib64/glusterfs/3.7.0alpha0/xlator/mgmt/glusterd.so(glusterd_hooks_run_hooks+0x47a)[0x7f75b2c2a1ba] (--> /usr/lib64/glusterfs/3.7.0alpha0/xlator/mgmt/glusterd.so(+0xd0772)[0x7f75b2c2a772] (--> /lib64/libpthread.so.0(+0x7df5)[0x7f75bce9bdf5] ))))) 0-management: Failed to execute script: /var/lib/glusterd/hooks/1/start/post/S30samba-start.sh --volname=vol1 --first=yes --version=1 --volume-op=start --gd-workdir=/var/lib/glusterd


the AVC denials are as follows:
type=AVC msg=audit(1430289182.264:582): avc:  denied  { getattr } for  pid=29427 comm="glusterd" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file


type=AVC msg=audit(1430289157.013:580): avc:  denied  { execute } for  pid=29632 comm="glusterd" name="S30samba-start.sh" dev="dm-0" ino=488775 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file

type=AVC msg=audit(1430289156.998:579): avc:  denied  { execute } for  pid=29626 comm="glusterd" name="S29CTDBsetup.sh" dev="dm-0" ino=488774 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file

type=AVC msg=audit(1430289143.445:573): avc:  denied  { execute } for  pid=29576 comm="glusterd" name="S30samba-stop.sh" dev="dm-0" ino=135416758 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file



Version-Release number of selected component (if applicable):
samba-4.1.17-5.el7.centos.x86_64
glusterfs-3.7.0alpha0-0.17.gited96153.el7.centos.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Install RHEL7.1, Install RHS samba rpms, gluster bits
2.create a gluster volume 
3.start the volume
4.check if share is created in smb.conf

Actual results:
hook script fails to execute and samba share is not create din smb.conf


Expected results:
samba share should get created in smb.conf after a volume start.


Additional info:

Looks like execution of hook script and editing smb.conf is prevented by selinux.We need to resolve this.

--- Additional comment from RHEL Product and Program Management on 2015-05-12 13:53:53 EDT ---

This request has been proposed as a blocker, but a release flag has
not been requested. Please set a release flag to ? to ensure we may
track this bug against the appropriate upcoming release, and reset
the blocker flag to ?.
Comment 2 Miroslav Grepl 2015-06-10 14:34:34 UTC 
$ matchpathcon /var/lib/glusterd/hooks/*/*.sh
/var/lib/glusterd/hooks/*/*.sh	system_u:object_r:bin_t:s0
Comment 5 surabhi 2015-06-11 08:44:58 UTC 
Created attachment 1037555 [details]
AVC logs
Comment 6 Miroslav Grepl 2015-06-15 16:00:41 UTC 
I believe we have fixed most of these issues.

How does it look with the latest el7 policy?
Comment 8 Raghavendra Talur 2015-06-16 15:25:27 UTC 
Created attachment 1039536 [details]
heart beat related denials?
Comment 9 Raghavendra Talur 2015-06-16 15:26:33 UTC 
Created attachment 1039537 [details]
mount related denials
Comment 10 Raghavendra Talur 2015-06-16 15:27:11 UTC 
Created attachment 1039538 [details]
ctdb service related
Comment 11 Raghavendra Talur 2015-06-16 15:28:04 UTC 
Created attachment 1039539 [details]
ctdb service related2
Comment 12 Raghavendra Talur 2015-06-16 15:28:53 UTC 
Created attachment 1039540 [details]
without samba install
Comment 13 Miroslav Grepl 2015-06-16 15:30:06 UTC 
You should run

setsebool -P use_fusefs_home_dirs 1

to allow some of them.
Comment 14 Raghavendra Talur 2015-06-16 15:34:36 UTC 
I found 4 issues on performing the tests with the following selinux packages installed.

libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-28.el7.noarch
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-28.el7.noarch


Issues are:

1. Denials on starting ctdb service. see attachments audit.log.CtdbDenials and audit.log.CtdbDenialsAfterPermissive

2. Denials on performing a smb mount. see attachment audit.log.SmbdDenialOnCifsMount

3. Denials on ctdb probably because of ctdb heartbeats. see attachment audit.log.CtdbDenialForGetattr

4. One issue which may be just because I did not install Samba and tried to start ctdb service. I did not see this denials ever after installing Samba. Probably can be ignored.
See attachment audit.log.HookScriptDenialsBeforeSambaInstall.

Does this mean we will need one more update of policy.
Comment 15 Miroslav Grepl 2015-06-17 09:19:40 UTC 
I added net_admin for smbd_t. 

But you will need to run

setsebool -P use_fusefs_home_dirs 1

to allow to use FUSE.
Comment 16 Raghavendra Talur 2015-06-18 08:49:13 UTC 
Miroslav,

Is use_fusefs_home_dirs required just for ctdb to be able to use FUSE or even for user mounts?


Any way we can automate it with? Otherwise it would mean one more step in the admin guide while setting up ctdb.
Comment 17 Miroslav Grepl 2015-06-19 07:12:09 UTC 
Yes, it should be turn on by default by Gluster.

setsebool -P use_fusefs_home_dirs 1
Comment 18 surabhi 2015-06-25 11:22:23 UTC 
I see following AVC's on ctdb setup.

type=AVC msg=audit(06/25/2015 06:19:22.207:22288) : avc:  denied  { signull } for  pid=15386 comm=ctdbd scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process 
----

type=AVC msg=audit(06/25/2015 06:19:32.566:22290) : avc:  denied  { read } for  pid=16754 comm=iptables path=/var/lib/ctdb/iptables-ctdb.flock dev="dm-0" ino=67681652 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file
Comment 19 Lukas Vrabec 2015-06-30 14:35:34 UTC 
commit 2bbd5489d69d888a1c05e082e756543c1f0b3c08
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jun 30 14:54:15 2015 +0200

    Dontaudit ctbd_t sending signull to smbd_t.


commit 5cc206f8481d2a4b4ba7d267c3e0bf0f8203eaf8
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jun 30 13:19:15 2015 +0200

    Allow iptables to read ctdbd lib files.
Comment 20 surabhi 2015-07-03 06:40:16 UTC 
The AVC's mentioned in #C18 are resolved with the build 
selinux-policy-3.13.1-30.el7 , I see only AVC as follows:

type=AVC msg=audit(07/03/2015 01:30:25.839:154) : avc:  denied  { block_suspend } for  pid=31332 comm=smbd capability=block_suspend  scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability2 

We need to add this as well.
All other issues and AVC's are resolved.
Comment 26 Lukas Vrabec 2015-07-09 11:29:04 UTC 
commit 6bb5d0038eb282cadcac82e71d3c0304d43c7b44
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 9 13:24:07 2015 +0200

    Allow ctdbd sending signull to process winbind, samba_unconfined_net, to
    checking if processes exists.

commit 687a1df2816c9fcc5af7f301749c8014df0815eb
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 9 13:22:48 2015 +0200

    Dontaudit smbd_t block_suspend capability. This is kernel bug.

commit 763e30c40a7e03a46dfac511dcdde1de3e9232c6
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 9 13:16:21 2015 +0200

    Add interfaces winbind_signull(), samba_unconfined_net_signull().
Comment 27 surabhi 2015-07-15 07:32:09 UTC 
With SELinux policy build :

selinux-policy-targeted-3.13.1-32.el7.noarch
selinux-policy-3.13.1-32.el7.noarch

I am seeing following AVC's which were not seen in the earlier build.
Worked with Milos on the same and found that the rule 
allow ctdbd_t systemd_systemctl_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;  is present in .31el7 build but is missing from .32el7 build.
Comment 29 Lukas Vrabec 2015-07-15 08:05:06 UTC 
Could you attach AVCs?
Comment 30 surabhi 2015-07-15 08:11:02 UTC 
Created attachment 1052256 [details]
AVC's
Comment 31 surabhi 2015-07-15 09:01:16 UTC 
Also verified that after downgrading to .31 el7 ctdb nodes comes to OK state and no AVC's seen.
Comment 33 Lukas Vrabec 2015-07-15 12:42:53 UTC 
commit ce652d6c62c6d38d1dab05b862cecc863075d28c
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jul 15 14:01:16 2015 +0200

    Allow ctdbd_t send signull to samba_unconfined_net_t.

commit 4aea5f1b161c8e711f593cf123de3b155ba71229
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jul 15 14:00:39 2015 +0200

    Add samba_signull_unconfined_net()

commit 645b04ea4006f4f25f606662cdf9b526df7226e5
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jul 15 13:44:41 2015 +0200

    Add samba_signull_winbind()
Comment 34 surabhi 2015-07-16 05:13:23 UTC 
with the build selinux-policy-3.13.1-33.el7.noarch 
selinux-policy-targeted-3.13.1-33.el7.noarch

There is no AVC seen and all ctdb nodes comes to OK state after rebooting multiple nodes.

Need 7.1.z build for this bug.
Comment 38 errata-xmlrpc 2015-11-19 10:35:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html
Note You need to log in before you can comment on or make changes to this bug.