Bug 1240198 - [SELinux]: Issues in setting up Windows Active directory with samba and access of share denied using domain users (RHEL-6.7)
Summary: [SELinux]: Issues in setting up Windows Active directory with samba and acces...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: samba
Version: rhgs-3.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: RHGS 3.1.0
Assignee: rhs-smb@redhat.com
QA Contact: surabhi
URL:
Whiteboard: core
Depends On: 1241360
Blocks: 1212796 1216951
TreeView+ depends on / blocked
 
Reported: 2015-07-06 07:49 UTC by surabhi
Modified: 2015-08-11 09:19 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.7.19-279.el6_7.4
Doc Type: Known Issue
Doc Text:
As per the bug, the Active directory integration of samba and gluster will fail and you will see the AVC denial's for nmb,winbind and smbd processes. In order to rectify the problem please use the workaround mentioned below. Step 1: # cat bz1240198.te policy_module(bz1240198,1.1) require { type nmbd_t; type smbd_t; type winbind_var_run_t; type smbd_var_run_t; type winbind_t; type nmbd_var_run_t; } manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file }) files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file }) filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file }) manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) allow nmbd_t nmbd_var_run_t:sock_file { create unlink }; allow nmbd_t smbd_var_run_t:file { write read lock create unlink open }; allow nmbd_t smbd_var_run_t:sock_file { create unlink }; Step 2: # make -f /usr/share/selinux/devel/Makefile Compiling targeted bz1240198 module /usr/bin/checkmodule: loading policy configuration from tmp/bz1240198.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/bz1240198.mod Creating targeted bz1240198.pp policy package rm tmp/bz1240198.mod tmp/bz1240198.mod.fc Step 3: # semodule -i bz1240198.pp
Clone Of:
: 1241360 1241361 (view as bug list)
Environment:
Last Closed: 2015-08-10 07:44:28 UTC
Embargoed:


Attachments (Terms of Use)
AVC's for winbind and nmb (4.33 MB, text/plain)
2015-07-06 07:52 UTC, surabhi
no flags Details

Description surabhi 2015-07-06 07:49:05 UTC
Description of problem:
***************************************
When SELinux is set to enforcing mode, with windows active directory setup for samba and gluster , the domain user fails to access the samba share because of improper permission/context settings for winbind and nmbd processes.

The server is able to join domain but not consistently and sometimes it fails to list domain users.

Following AVC's are present in audit log:

type=AVC msg=audit(07/06/2015 03:01:20.719:20011) : avc:  denied  { lock } for  pid=15334 comm=smbd path=/var/run/samba/smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { create } for  pid=15334 comm=smbd name=ncalrpc scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { add_name } for  pid=15334 comm=smbd name=ncalrpc scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { write } for  pid=15334 comm=smbd name=samba dev=dm-0 ino=1574523 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { write open } for  pid=15362 comm=nmbd name=nmbd.pid dev=dm-0 ino=1574567 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 


type=AVC msg=audit(07/06/2015 03:01:25.131:20013) : avc:  denied  { lock } for  pid=15362 comm=nmbd path=/var/run/samba/nmbd.pid dev=dm-0 ino=1574567 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 

type=AVC msg=audit(07/06/2015 03:01:25.147:20014) : avc:  denied  { create } for  pid=15362 comm=nmbd name=nmbd scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 

type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { add_name } for  pid=15362 comm=nmbd name=nmbd.pid scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 

type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { write } for  pid=15362 comm=nmbd name=samba dev=dm-0 ino=1574523 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir



Version-Release number of selected component (if applicable):
samba-4.1.17-7.el6rhs.x86_64

How reproducible:
Tried once

Steps to Reproduce:
1.Windows Active directory setup to verify domain join and access of share to domain users.
2. Setup as per documentation , join domain
3. Access the share from logging in as domain user

Actual results:
The access to share fails with the domain user login and AVC's seen w.r.t permissions for winbind nmb and smb process.

Expected results:
*****************************
Access of share should be successful and tehre should not be any AVC's.


Additional info:

Comment 2 surabhi 2015-07-06 07:52:46 UTC
Created attachment 1048690 [details]
AVC's for winbind and nmb

Comment 29 Vivek Agarwal 2015-07-22 14:39:36 UTC
Moving back to modified, the bz was moved to on_qa by the errata tool.

Comment 35 surabhi 2015-07-27 14:38:31 UTC
Step 1:
# cat bz1240198.te
policy_module(bz1240198,1.1)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  type smbd_var_run_t;
  type winbind_t;
  type nmbd_var_run_t;
}

manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file })
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file })
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file })
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
allow nmbd_t nmbd_var_run_t:sock_file { create unlink };
allow nmbd_t smbd_var_run_t:file { write read lock create unlink open };
allow nmbd_t smbd_var_run_t:sock_file { create unlink };


Step 2:
# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc

Step 3:
# semodule -i bz1240198.pp

Comment 37 surabhi 2015-08-04 12:55:14 UTC
With selinux-policy-3.7.19-279.el6_7.2 and selinux-policy-3.7.19-279.el6_7.3, the windows AD setup works fine and domain user is able to login.
there is only one AVC seen related to sshd which is reported in the RHEL selinux-policy BZ https://bugzilla.redhat.com/show_bug.cgi?id=1250066.

All the AVC's are fixed and no issues seen with ad setup and domain user login with selinux-policy-targeted-3.7.19-279.el6_7.4.noarch
selinux-policy-3.7.19-279.el6_7.4.noarch

Already verified with above policy.
Moving the bz to verified.

the fixed in version needs to be updated.


Note You need to log in before you can comment on or make changes to this bug.