Bug 145025 - smbmount - needs samba access permissions
smbmount - needs samba access permissions
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-13 15:52 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-07 17:32:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Samba.te file (5.46 KB, text/plain)
2005-01-29 11:05 EST, Ivan Gyurdiev
no flags Details
Samba.te patch (3.12 KB, patch)
2005-01-29 11:06 EST, Ivan Gyurdiev
no flags Details | Diff

  None (edit)
Description Ivan Gyurdiev 2005-01-13 15:52:15 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
smbmount needs at least those permissions to work:

getattr, read on samba_etc_t (smb.conf)
read, write, lock on samba_var_t (gencache.tdb)
read, ioctl on system_u:object_r:cifs_t
append, getattr on samba_log_t (smbmount.log)
create connect write - unix_drgram_socket

Currently it runs as mount_t and lacks those permissions.

Corresponding denials:

audit(1105648184.429:0): avc:  denied  { read } for  pid=2664
exe=/bin/mount path=/init dev=rootfs ino=7
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:root_t
tclass=file
audit(1105648184.458:0): avc:  denied  { setuid } for  pid=2665
exe=/bin/mount capability=7 scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=capability

audit(1105648184.459:0): avc:  denied  { setgid } for  pid=2665
exe=/bin/mount capability=6 scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=capability

audit(1105648184.944:0): avc:  denied  { getattr } for  pid=2665
exe=/usr/bin/smbmount path=/etc/samba/smb.conf dev=dm-0 ino=667484
scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:samba_etc_t tclass=file

audit(1105648184.945:0): avc:  denied  { read } for  pid=2665
exe=/usr/bin/smbmount name=smb.conf dev=dm-0 ino=667484
scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:samba_etc_t tclass=file

audit(1105648185.028:0): avc:  denied  { getattr } for  pid=2665
exe=/usr/bin/smbmount path=/win dev=dm-0 ino=616513
scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:default_t tclass=dir

audit(1105648185.051:0): avc:  denied  { read write } for  pid=2665
exe=/usr/bin/smbmount name=gencache.tdb dev=dm-0 ino=1168448
scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:samba_var_t tclass=file

audit(1105648185.051:0): avc:  denied  { lock } for  pid=2665
exe=/usr/bin/smbmount path=/var/cache/samba/gencache.tdb dev=dm-0
ino=1168448 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:samba_var_t tclass=file

audit(1105648185.054:0): avc:  denied  { getattr } for  pid=2665
exe=/usr/bin/smbmount path=/var/cache/samba/gencache.tdb dev=dm-0
ino=1168448 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:samba_var_t tclass=file

audit(1105648185.219:0): avc:  denied  { getattr } for  pid=2665
exe=/usr/bin/smbmount path=/var/cache/samba dev=dm-0 ino=1168253
scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:samba_var_t tclass=dir
SELinux: initialized (dev smbfs, type smbfs), uses genfs_contexts

audit(1105648185.467:0): avc:  denied  { read } for  pid=2666
exe=/usr/bin/smbmount name=/ dev=smbfs ino=2
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:cifs_t
tclass=dir

audit(1105648185.467:0): avc:  denied  { ioctl } for  pid=2666
exe=/usr/bin/smbmount path=/win dev=smbfs ino=2
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:cifs_t
tclass=dir

audit(1105648185.503:0): avc:  denied  { append } for  pid=2666
exe=/usr/bin/smbmount name=smbmount.log dev=dm-0 ino=146038
scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:samba_log_t tclass=file

audit(1105648185.503:0): avc:  denied  { create } for  pid=2666
exe=/usr/bin/smbmount scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=unix_dgram_socket

audit(1105648185.503:0): avc:  denied  { connect } for  pid=2666
exe=/usr/bin/smbmount scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=unix_dgram_socket

audit(1105648185.503:0): avc:  denied  { write } for  pid=2666
exe=/usr/bin/smbmount scontext=system_u:system_r:mount_t
tcontext=system_u:system_r:mount_t tclass=unix_dgram_socket

audit(1105648185.612:0): avc:  denied  { getattr } for  pid=2666
exe=/usr/bin/smbmount path=/var/log/samba/smbmount.log dev=dm-0
ino=146038 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:samba_log_t tclass=file








Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.1-1

How reproducible:
Always

Steps to Reproduce:
1. Mount a samba share

Additional info:
Comment 1 Ivan Gyurdiev 2005-01-13 17:32:47 EST
smbiod:

audit(1105655461.646:0): avc:  denied  { write } for  pid=2671
comm=smbiod laddr=192.168.0.2 lport=58431 faddr=192.168.0.3 fport=139
scontext=system_u:system_r:kernel_t tcontext=root:sysadm_r:mount_t
tclass=tcp_socket

audit(1105655461.646:0): avc:  denied  { read } for  pid=2671
comm=smbiod laddr=192.168.0.2 lport=58431 faddr=192.168.0.3 fport=139
scontext=system_u:system_r:kernel_t tcontext=root:sysadm_r:mount_t
tclass=tcp_socket
Comment 2 Ivan Gyurdiev 2005-01-13 17:38:40 EST
gnome-vfs-daemon:

audit(1105648235.958:0): avc:  denied  { write } for  pid=3754
exe=/usr/libexec/gnome-vfs-daemon laddr=192.168.0.2 lport=41856
faddr=192.168.0.3 fport=139 scontext=user_u:user_r:user_t
tcontext=system_u:system_r:mount_t tclass=tcp_socket
Comment 3 Daniel Walsh 2005-01-26 10:44:48 EST
Ok We are going to need some context for smbmount.  I have put together a
preliminary policy for smbmount, that I want you to try and if you can finish
it, since I don't currently have access to a smb environment.  Or at least
submit the AVC messages.  (You might want to do this in permissive mode).

Dan
Comment 4 Ivan Gyurdiev 2005-01-26 12:09:05 EST
Okay, where's the policy?
Comment 5 Daniel Walsh 2005-01-26 12:39:09 EST
It is out on people
ftp://people.redhat.com/dwalsh/SELinux/Fedora

selinux-policy-strict-*1.21.3-4
You will need to restorecon /usr/bin/smbmount

Good luck.  YOu can communicate with me on the #selinux chat room if you need
quick response.

Dan
Comment 6 Ivan Gyurdiev 2005-01-27 02:15:25 EST
Is "can_ypbind" necessary? I'm not familiar with ypbind, but
I didn't see any related denials.

The rest of the rules look fine, but see - now smbmount can't acecss
any of the things in the mount policy, and it needs some of those
permissions. See below. How can smbmount inherit some permissions
from mount?


In the meantime here are the denials:

Common with mount
==============================
It can't { getattr search mounton } mnt_t where I put the mount point
It can't { create write add_name create unlink } etc_t (for mtab backups)
It can't { read append geattr } etc_runtime_t (for mtab)
It can't { mount } cifs_t, available through this rule:
 allow mount_t file_type:filesystem { unmount mount relabelto };
in mount.te

Other, more general denials include:
====================================
It can't { signal sigchld} self:process
It can't read_locale()
It can't { search } devpts_t
It can't { read write } sysadm_devpts_t
It can't { use } /dev/pts/2 of type user_t
It can't { read write ioctl } /dev/tty

Some of those are already in the mount policy.
Others are not.

Samba-related stuff:
===================
It can't { search } samba_log_t or var_log_t
   (Will it also need to create the log file 
               if it's missing? - need to test)

It can't { create connect} unix_stream_socket in the same domain.

It can't { search } samba_var_t:dir.

It can't { read geattr } this thing of type lib_t: gconv-modules.cache 

It can't { fork } itself.

It can't { search getattr } bin_t:dir
in order to { read execute execute_no_trans } bin_t:file (/usr/bin/smbmnt)
which it tries to do.
 
Finally there's this kind of denial:

audit(1106808301.487:0): avc:  denied  { read } for  pid=1383
comm=smbiod laddr=192.168.2.96 lport=45305 faddr=192.168.2.96
fport=445 scontext=system_u:system_r:kernel_t
tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket

audit(1106808303.487:0): avc:  denied  { write } for  pid=1389
exe=/usr/libexec/gnome-vfs-daemon laddr=192.168.2.96 lport=45305
faddr=192.168.2.96 fport=445 scontext=user_u:user_r:user_t
tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket

Hope this is helpful.
I can add some of these myself, but I wasn't clear
on how to structure this with respect to the mount policy.





Comment 7 Daniel Walsh 2005-01-27 11:11:49 EST
ypbind will only come into effect if you are running in an NIS environment,  it
is required.

Not sure I caught them all but here is the bottom section of samba.te


ifdef(`mount.te', `
#
# Domain for running smbmount
#
application_domain(smbmount, `, fs_domain, nscd_client_domain');
can_network(smbmount_t)
can_ypbind(smbmount_t)
allow smbmount_t cifs_t:dir r_dir_perms;
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t samba_etc_t:file r_file_perms;
allow smbmount_t samba_log_t:dir r_dir_perms;
allow smbmount_t samba_log_t:file ra_file_perms;
allow smbmount_t samba_var_t:dir r_dir_perms;
allow smbmount_t samba_var_t:file rw_file_perms;
domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
r_dir_file(smbmount_t, proc_t)
allow smbmount_t self:capability { signal sigchld net_bind_service sys_rawio
sys_admin dac_override chown };
allow smbmount_t self:process { fork signal_perms };
file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
allow smbmount_t cifs_t:dir mounton;
allow smbmount_t cifs_t:dir search;
allow smbmount_t mnt_t:dir mounton;
read_locale(smbmount_t)
allow smbmount_t userdomain:fd use;
allow smbmount_t self:unix_stream_socket create_socket_perms;
can_exec(smbmount_t, bin_t)
allow kernel_t smbmount_t:tcp_socket { read write };
allow smbmount_t file_type:filesystem { unmount mount relabelto };
')
Comment 8 Ivan Gyurdiev 2005-01-27 13:31:26 EST
Well I was wondering if there could be some sort of common macro in mount.te
that gives a bunch of those permissions to smbmount_t and mount_t.

allow smbmount_t file_type:filesystem { unmount mount relabelto };
Shouldn't this be restricted to particular filesystems?

allow smbmount_t cifs_t:dir search;
Hmm...why is this needed...I should investigate

allow smbmount_t cifs_t:dir mounton;
This looks wrong in light of what Stephen Smalley said about binfmt.
I will test some more to see if I get this kind of denial or if it's
some sort of dual mount problem. 

allow smbmount_t samba_log_t:file ra_file_perms;
Do you know if smbmount creates the file if it isn't there?

allow smbmount_t self:unix_stream_socket create_socket_perms;
You should put that next to the dgram_socket one.

can_exec(smbmount_t, bin_t)
Isn't the scope of this rule too broad?
Now it can execute all of bin_t. Maybe label smbmnt differently?

What about mount.cifs?
Comment 9 Ivan Gyurdiev 2005-01-27 13:39:25 EST
allow smbmount_t cifs_t:dir mounton;
allow smbmount_t cifs_t:dir search;

Hmm - yeah, where are those two coming from?
They're not in my list of denials - I don't think.


Comment 10 Daniel Walsh 2005-01-27 14:42:10 EST
Ok updated the latest policy on 
ftp://people.redhat.com/dwalsh/SELinux/Fedora

smb seems to be working.

cifs works alot better and requires no policy change.

I have gotten rid of all smb errors on my test machine.

selinux-policy-strict-1.21.4-2
Comment 11 Ivan Gyurdiev 2005-01-27 17:53:47 EST
What about my comments in #8 and #9?
Some of those permissions seem too broad,
or unnecessary - see above.

Also I get denials:

Tty stuff:
{ search } devpts_t:dir
{ read write } sysadm_devpts_t:chr_file
{ read write ioctl } sysadm_devtty_t:chr_file

{ search } bin_t:dir   (Need this for finding /usr/bin/smbmnt)
{ search } var_log_t:dir  
(Need this for finding /var/log/samba/smbmount.log)
{ mount } cifs_t:filesystem

That last one is because cifs_t is fs_type, not file_type.

Finally there are still denials of this type:
audit(1106866332.138:0): avc:  denied  { write } for  pid=30275
exe=/bin/ls laddr=192.168.2.96 lport=58074 faddr=192.168.2.96
fport=445 scontext=root:sysadm_r:sysadm_t
tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket







 
Comment 12 Ivan Gyurdiev 2005-01-29 11:04:57 EST
Ok, fixes.

Attached is a patch between selinux-policy-strict-1.21.5-2
and what I have. Also attached is the samba.te file itself.
It does the following:

- comments everything and organizes it so it's not just
a list of rules ordered randomly
- removes permissions that I think are unnecessary.. like
mounton on cifs_t, and some other things 
- restricts permissions that are overly broad like the rule
that lets smbmount mount every filesystem
- adds rules that I needed to eliminate ALL denials. I don't
get any denials anymore. Most of them were tty rules, but
there were some search rules, and a log creation rule, etc.
There was also a bug in the cifs mount rule that I fixed.

Please consider for inclusion. Also, please look at FIXMEs and see
if those are necessary - I just didn't know.

smbmnt_t should probably be labeled as something else so
smbmount_t doesn't have execute permissions on all of bin_t.




Comment 13 Ivan Gyurdiev 2005-01-29 11:05:56 EST
Created attachment 110384 [details]
Samba.te file 

This is my samba.te file
Comment 14 Ivan Gyurdiev 2005-01-29 11:06:34 EST
Created attachment 110385 [details]
Samba.te patch

And this is the patch.
Comment 15 Daniel Walsh 2005-01-31 11:11:17 EST
Added in  1.21.5-3
Comment 16 Ivan Gyurdiev 2005-01-31 22:24:26 EST
Here's some changes to address a FIXME. 
Restricts execute priviledges of smbmount. 
Also smbmnt now transitions to smbmount_t if executed by users.

--- samba.te   2005-01-31 20:14:24.000000000 -0700
+++ samba.new    2005-01-31 20:17:33.000000000 -0700
@@ -164,9 +164,8 @@
 r_dir_file(smbmount_t, proc_t)

 # Fork smbmnt
-# FIXME: label bin_t as more restricted type?
 allow smbmount_t bin_t:dir r_dir_perms;
-can_exec(smbmount_t,bin_t)
+can_exec(smbmount_t,smbmount_exec_t)
 allow smbmount_t self:process { fork signal_perms };

 # Mount

--- samba.fc   2005-01-31 20:13:07.000000000 -0700
+++ samba.new    2005-01-31 20:13:37.000000000 -0700
@@ -20,5 +20,6 @@
 /var/run/samba/nmbd\.pid --    system_u:object_r:nmbd_var_run_t
 /var/spool/samba(/.*)?         system_u:object_r:samba_var_t
 ifdef(`mount.te', `
-/usr/bin/smbmount              system_u:object_r:smbmount_exec_t
+/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t
+/usr/bin/smbmnt        -- system_u:object_r:smbmount_exec_t
 ')

Note You need to log in before you can comment on or make changes to this bug.