Bug 1264468 - AVC denial when running smbcontrol
AVC denial when running smbcontrol
Status: CLOSED DUPLICATE of bug 1256459
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-18 10:14 EDT by Varun Mylaraiah
Modified: 2015-11-30 11:17 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-21 08:02:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Varun Mylaraiah 2015-09-18 10:14:46 EDT
Description of problem:
One of our TCs triggers that AVC.
AVC denial when running smbcontrol

Version-Release number of selected component (if applicable):
samba-4.2.3-7.el7.x86_64
selinux-policy-3.13.1-49.el7
ipa-server-4.2.0-9.el7.x86_64

How reproducible:
100%

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: trust_cli_bz1056120: ipasam does not support deleting multiple child trusted domains due to LDAP delete operation bz1056120
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'ipa trustdomain-find ipaad2008r2.test > /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out 2>&1'
:: [   PASS   ] :: Command 'ipa trustdomain-find ipaad2008r2.test > /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out 2>&1' (Expected 0, got 0)
  Domain name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Domain enabled: True

  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
:: [   PASS   ] :: File '/tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out' should contain 'IPASUB2008R2-1' 
:: [  BEGIN   ] :: Running 'smbcontrol all debug 100'
unix_msg_init failed: Permission denied
could not init messaging context
:: [   FAIL   ] :: Command 'smbcontrol all debug 100' (Expected 0, got 1)
:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add ipaad2008r2.test --type ad --admin Administrator --password --two-way=True > /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out 2>&1'
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add ipaad2008r2.test --type ad --admin Administrator --password --two-way=True > /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out 2>&1' (Expected 0, got 0)
-------------------------------------------------
Re-established trust to domain "ipaad2008r2.test"
-------------------------------------------------
  Realm name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: File '/tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out' should contain 'Re-established trust to domain "ipaad2008r2.test"' 
:: [   PASS   ] :: File '/tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out' should contain 'Trust status: Established and verified' 
:: [  BEGIN   ] :: Running 'smbcontrol all debug 1'
unix_msg_init failed: Permission denied
could not init messaging context
:: [   FAIL   ] :: Command 'smbcontrol all debug 1' (Expected 0, got 1)
:: [  BEGIN   ] :: Running 'egrep -B1 '(smbldap_delete:|Failed to delete)' /var/log/samba/log.* | tee /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out'
/var/log/samba/log.smbd-[2015/09/15 21:14:53.409067,  0] ../lib/util/pidfile.c:153(pidfile_unlink)
/var/log/samba/log.smbd:  Failed to delete pidfile /run/smbd.pid. Error was No such file or directory
:: [   PASS   ] :: Command 'egrep -B1 '(smbldap_delete:|Failed to delete)' /var/log/samba/log.* | tee /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'egrep "Failed to delete.*dn: cn=ipaad2008r2.test,.*" /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out | tee /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out_1'
:: [   PASS   ] :: Command 'egrep "Failed to delete.*dn: cn=ipaad2008r2.test,.*" /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out | tee /tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out_1' (Expected 0, got 0)
:: [   FAIL   ] :: File '/tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out_1' should contain 'Operation not allowed on non-leaf' 
:: [   FAIL   ] :: File '/tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out' should contain 'smbldap_delete: dn => \[cn=ipasub2008r2-1.ipaad2008r2.test' 
:: [   FAIL   ] :: File '/tmp/tmp.TJrEk5IISM/tmpout.trust_cli_bz1056120.out' should contain 'smbldap_delete: dn => \[cn=ipaad2008r2.test' 
:: [  BEGIN   ] :: Deleting trust to continue testing :: actually running 'ipa trust-del ipaad2008r2.test'
--------------------------------
Deleted trust "ipaad2008r2.test"
--------------------------------
:: [   PASS   ] :: Deleting trust to continue testing (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-del IPAAD2008R2.TEST_id_range'
--------------------------------------------
Deleted ID range "IPAAD2008R2.TEST_id_range"
--------------------------------------------
:: [   PASS   ] :: Command 'ipa idrange-del IPAAD2008R2.TEST_id_range' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-del IPASUB2008R2-1.IPAAD2008R2.TEST_id_range'
-----------------------------------------------------------
Deleted ID range "IPASUB2008R2-1.IPAAD2008R2.TEST_id_range"
-----------------------------------------------------------
:: [   PASS   ] :: Command 'ipa idrange-del IPASUB2008R2-1.IPAAD2008R2.TEST_id_range' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 30'
:: [   PASS   ] :: Command 'sleep 30' (Expected 0, got 0)
'99c8a4c1-dc84-4301-9456-793d67d823ce'
trust-cli-bz1056120-ipasam-does-not-support-deleting-multiple-child-trusted-domains-due-to-LDAP-delete-operation-bz1056120 result: FAIL
   metric: 5
   Log: /var/tmp/beakerlib-34318281/journal.txt
    Info: Searching AVC errors produced since 1442366500.05 (Tue Sep 15 21:21:40 2015)
     Searching logs...
     Fail: AVC messages found.
     Checking for errors...
     Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
     Fail: AVC messages found.
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.FsZEex
:
'35471728-db33-438b-8140-d9f4acf9f659'
trust-cli-bz1056120-ipasam-does-not-support-deleting-multiple-child-trusted-domains-due-to-LDAP-delete-operation-bz1056120/avc result: FAIL
   Log: /mnt/testarea/tmp.FsZEex


Expected results:
No AVC denial.

Additional info:

[root@master1 ~]# date; smbcontrol debug 1;
Fri Sep 18 09:18:28 EDT 2015
unix_msg_init failed: Permission denied
could not init messaging context

[root@master1 ~]# ausearch -m avc -ts 09:18:28
----
time->Fri Sep 18 09:18:28 2015
type=SYSCALL msg=audit(1442582308.358:50680): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=40 items=0 ppid=15561 pid=16807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6537 comm="smbcontrol" exe="/usr/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1442582308.358:50680): avc:  denied  { create } for  pid=16807 comm="smbcontrol" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
[root@master1 ~]#
Comment 1 Milos Malik 2015-09-18 10:17:40 EDT
I believe this bug is a duplicate of BZ#1256459.
Comment 6 Miroslav Grepl 2015-09-21 08:02:23 EDT

*** This bug has been marked as a duplicate of bug 1256459 ***

Note You need to log in before you can comment on or make changes to this bug.