1241361 – [SELinux]: Issues in setting up Windows Active directory with samba and access of share denied using domain users (RHEL-7)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1241361 - [SELinux]: Issues in setting up Windows Active directory with samba and access of share denied using domain users (RHEL-7)

Summary: [SELinux]: Issues in setting up Windows Active directory with samba and acces...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1202842 1212796
TreeView+	depends on / blocked

Reported:	2015-07-09 06:32 UTC by Prasanth
Modified:	2015-10-26 11:44 UTC (History)
CC List:	14 users (show)
Fixed In Version:	selinux-policy-3.13.1-34.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1240198
Environment:
Last Closed:	2015-07-21 07:01:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Prasanth 2015-07-09 06:32:27 UTC

+++ This bug was initially created as a clone of Bug #1240198 +++

Description of problem:
***************************************
When SELinux is set to enforcing mode, with windows active directory setup for samba and gluster , the domain user fails to access the samba share because of improper permission/context settings for winbind and nmbd processes.

The server is able to join domain but not consistently and sometimes it fails to list domain users.

Following AVC's are present in audit log:

type=AVC msg=audit(07/06/2015 03:01:20.719:20011) : avc:  denied  { lock } for  pid=15334 comm=smbd path=/var/run/samba/smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { create } for  pid=15334 comm=smbd name=ncalrpc scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { add_name } for  pid=15334 comm=smbd name=ncalrpc scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:44.798:20016) : avc:  denied  { write } for  pid=15334 comm=smbd name=samba dev=dm-0 ino=1574523 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 


type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { write open } for  pid=15362 comm=nmbd name=nmbd.pid dev=dm-0 ino=1574567 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 


type=AVC msg=audit(07/06/2015 03:01:25.131:20013) : avc:  denied  { lock } for  pid=15362 comm=nmbd path=/var/run/samba/nmbd.pid dev=dm-0 ino=1574567 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 

type=AVC msg=audit(07/06/2015 03:01:25.147:20014) : avc:  denied  { create } for  pid=15362 comm=nmbd name=nmbd scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 

type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { add_name } for  pid=15362 comm=nmbd name=nmbd.pid scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir 

type=AVC msg=audit(07/06/2015 03:01:25.131:20012) : avc:  denied  { write } for  pid=15362 comm=nmbd name=samba dev=dm-0 ino=1574523 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir



Version-Release number of selected component (if applicable):
samba-4.1.17-7.el6rhs.x86_64

How reproducible:
Tried once

Steps to Reproduce:
1.Windows Active directory setup to verify domain join and access of share to domain users.
2. Setup as per documentation , join domain
3. Access the share from logging in as domain user

Actual results:
The access to share fails with the domain user login and AVC's seen w.r.t permissions for winbind nmb and smb process.

Expected results:
*****************************
Access of share should be successful and tehre should not be any AVC's.


Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-07-06 03:49:07 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

--- Additional comment from surabhi on 2015-07-06 03:52:46 EDT ---



--- Additional comment from RHEL Product and Program Management on 2015-07-06 08:21:12 EDT ---

This bug report previously had all acks and release flag approved.
However since at least one of its acks has been changed, the
release flag has been reset to ? by the bugbot (pm-rhel).  The
ack needs to become approved before the release flag can become
approved again.

--- Additional comment from Rejy M Cyriac on 2015-07-06 10:37:48 EDT ---

Accepted as Blocker as per decision at RHGS 3.1 Blocker BZ Status Check meeting on 06 July 2015

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-07-06 10:40:23 EDT ---

Since this bug has been approved for the Red Hat Gluster Storage 3.1.0 release, through release flag 'rhgs-3.1.0+', the Target Release is being automatically set to 'RHGS 3.1.0'

--- Additional comment from Milos Malik on 2015-07-07 05:51:48 EDT ---

Non-beaker task form of local policy follows:

# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { write create add_name };
  class file { write lock create open };
  class sock_file { create };
}

allow nmbd_t winbind_var_run_t:dir { write create add_name };
allow nmbd_t winbind_var_run_t:file { write lock create open };
allow nmbd_t winbind_var_run_t:sock_file { create };
allow smbd_t winbind_var_run_t:dir { write create add_name };
allow smbd_t winbind_var_run_t:file { write lock create open };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#

--- Additional comment from Milos Malik on 2015-07-07 05:55:28 EDT ---

Here is the beaker task form of local policy:

--task "! echo -en 'policy_module(bz1240198,1.0)\n\nrequire {\n  type nmbd_t;\n  type smbd_t;\n  type winbind_var_run_t;\n  class dir { write create add_name };\n  class file { write lock create open };\n  class sock_file { create };\n}\n\nallow nmbd_t winbind_var_run_t:dir { write create add_name };\nallow nmbd_t winbind_var_run_t:file { write lock create open };\nallow nmbd_t winbind_var_run_t:sock_file { create };\nallow smbd_t winbind_var_run_t:dir { write create add_name };\nallow smbd_t winbind_var_run_t:file { write lock create open };\n\n' > bz1240198.te ; make -f /usr/share/selinux/devel/Makefile ; semodule -i bz1240198.pp ; semodule -l bz1240198"

--- Additional comment from Prasanth on 2015-07-08 02:35:13 EDT ---

Surabhi, please try the fix provided my Milos in Comment 7 and confirm if that works.

--- Additional comment from surabhi on 2015-07-08 09:41:56 EDT ---

After trying the fix provided in #C6, I just see the following AVC:

type=AVC msg=audit(07/08/2015 13:27:39.024:43343) : avc:  denied  { read } for  pid=2465 comm=smbd name=smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file

--- Additional comment from Milos Malik on 2015-07-08 09:54:44 EDT ---

Non-beaker task form of local policy follows:

# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { write create add_name };
  class file { write lock create getattr open read };
  class sock_file { create };
}

allow nmbd_t winbind_var_run_t:dir { write create add_name };
allow nmbd_t winbind_var_run_t:file { write lock create getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create };
allow smbd_t winbind_var_run_t:dir { write create add_name };
allow smbd_t winbind_var_run_t:file { write lock create getattr open read };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#

--- Additional comment from Milos Malik on 2015-07-08 10:02:08 EDT ---

Non-beaker task form of local policy follows:

# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { read write create add_name remove_name };
  class file { write lock create getattr open read };
  class sock_file { create };
}

allow nmbd_t winbind_var_run_t:dir { read write create add_name remove_name};
allow nmbd_t winbind_var_run_t:file { write lock create getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create };
allow smbd_t winbind_var_run_t:dir { read write create add_name remove_name };
allow smbd_t winbind_var_run_t:file { write lock create getattr open read };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#

--- Additional comment from surabhi on 2015-07-08 10:11:44 EDT ---

After applying all above fixes , on restart of any of the services, winbind , nmb or smbd I see more AVC's.

I checked in rhel7 and found no issues becaus eit has following set.

I would request to backport these fixes to RHEL6.7.z so taht we cover all cases related to samba, winbind and nmb.


sesearch -s nmbd_t -t winbind_var_run_t -c dir -p add_name --allow -C
Found 1 semantic av rules:
DT allow nmbd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ samba_export_all_rw ]



sesearch -s smbd_t -t winbind_var_run_t -c dir -p add_name --allow -C
Found 1 semantic av rules:
DT allow smbd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ samba_export_all_rw ]

--- Additional comment from surabhi on 2015-07-08 10:14:12 EDT ---

type=AVC msg=audit(07/08/2015 14:05:03.251:43618) : avc:  denied  { unlink } for  pid=18629 comm=smbd name=smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/08/2015 14:05:04.435:43619) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7f64036ce6b0 a1=0x0 a2=0x7f64036cf6b0 a3=0x702061626d615320 items=0 ppid=1 pid=3257 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7175 comm=smbd exe=/usr/sbin/smbd subj=unconfined_u:system_r:smbd_t:s0 key=(null) 
type=AVC msg=audit(07/08/2015 14:05:04.435:43619) : avc:  denied  { unlink } for  pid=3257 comm=smbd name=smbd.pid dev=dm-0 ino=1574544 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/08/2015 14:05:14.643:43620) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7f9bf1afb350 a1=0x0 a2=0x0 a3=0x702061626d615320 items=0 ppid=1 pid=3305 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7175 comm=nmbd exe=/usr/sbin/nmbd subj=unconfined_u:system_r:nmbd_t:s0 key=(null) 
type=AVC msg=audit(07/08/2015 14:05:14.643:43620) : avc:  denied  { unlink } for  pid=3305 comm=nmbd name=nmbd.pid dev=dm-0 ino=1574567 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=file

--- Additional comment from Milos Malik on 2015-07-08 10:17:13 EDT ---

Non-beaker task form of local policy follows:

# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { read write create add_name remove_name };
  class file { write lock create unlink getattr open read };
  class sock_file { create };
}

allow nmbd_t winbind_var_run_t:dir { read write create add_name remove_name};
allow nmbd_t winbind_var_run_t:file { write lock create unlink getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create };
allow smbd_t winbind_var_run_t:dir { read write create add_name remove_name };
allow smbd_t winbind_var_run_t:file { write lock create unlink getattr open read };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#

--- Additional comment from surabhi on 2015-07-09 02:18:13 EDT ---

With a small addition to the policy given in #C14, there are no AVC's seen with Active directory and samba with glusterfs.

Verified with accessing the share by domain users.
All processes are up and running
AD setup works fine.


# cat bz1240198.te
policy_module(bz1240198,1.0)

require {
  type nmbd_t;
  type smbd_t;
  type winbind_var_run_t;
  class dir { read write create add_name remove_name };
  class file { write lock create unlink getattr open read };
  class sock_file { create unlink };
}

allow nmbd_t winbind_var_run_t:dir { read write create add_name remove_name};
allow nmbd_t winbind_var_run_t:file { write lock create unlink getattr open read };
allow nmbd_t winbind_var_run_t:sock_file { create unlink };
allow smbd_t winbind_var_run_t:dir { read write create add_name remove_name };
allow smbd_t winbind_var_run_t:file { write lock create unlink getattr open read };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1240198 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
# semodule -i bz1240198.pp
#


Please consider this to be added for RHEL6.7.z

Comment 2 Lukas Vrabec 2015-07-18 22:05:39 UTC

commit 6b83186d7b3151b96cccbe3b12cfae1c509450ef
Author: Lukas Vrabec <lvrabec>
Date:   Sun Jul 19 00:00:44 2015 +0200

    Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
    Resolves: #1241361

commit e777ef7e8770ca1d450096282f6ec127c995546e
Author: Lukas Vrabec <lvrabec>
Date:   Sat Jul 18 23:58:00 2015 +0200

    Add samba_manage_winbind_pid() interface

Comment 3 Miroslav Grepl 2015-07-20 11:24:05 UTC

$ matchpathcon /var/run/samba/nmbd.pid/var/run/samba/nmbd.pid	system_u:object_r:nmbd_var_run_t:s0

Why is it created as winbind_var_run_t?

Comment 4 Miroslav Grepl 2015-07-20 11:30:08 UTC

It looks the problem is /var/run/samba is created with wrong label.

Comment 5 Miroslav Grepl 2015-07-20 11:33:21 UTC

So I believe we need to update rules to reflect samba.fc with filename transitions.

Comment 6 Lukas Vrabec 2015-07-20 11:37:37 UTC

Please attach output of:
$ matchpathcon /var/run/samba/

Comment 7 surabhi 2015-07-20 11:40:31 UTC

ls -lZ /var/run/samba
drwxr-xr-x. root root system_u:object_r:smbd_var_run_t:s0 ncalrpc
drwxr-xr-x. root root system_u:object_r:winbind_var_run_t:s0 winbindd

Comment 8 Lukas Vrabec 2015-07-20 12:06:32 UTC

Hi, 
After discussion with mgrepl, we agreed that dir "/var/run/samba" was mislabeled on tested system. Could you re-test this issue on new fresh installation?

Comment 9 Prasanth 2015-07-20 13:23:51 UTC

Putting the needinfo on Surabhi to provide the requested info.

Comment 11 surabhi 2015-10-26 11:44:08 UTC

The issue was not on 7.2. clearing needinfo

Note You need to log in before you can comment on or make changes to this bug.