1477900 – SELinux is preventing samba with kerberos

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1477900 - SELinux is preventing samba with kerberos

Summary: SELinux is preventing samba with kerberos

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-03 07:37 UTC by Erinn Looney-Triggs
Modified:	2022-03-13 14:22 UTC (History)
CC List:	22 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 10:00:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:02:09 UTC

Description Erinn Looney-Triggs 2017-08-03 07:37:16 UTC

Description of problem:
When using samba with a system that is joined to an AD using realmd, samba attempts to access 'something' with a context of krb5_host_rcache_t. This is denied by default, audit2allow suggests enabling 'samba_export_all_rw' boolean however this is probably way to broad of an allow, and samba should function using kerberos without the above boolean being enabled.


Version-Release number of selected component (if applicable):
samba-4.6.2-8.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch

How reproducible:
Join system to AD with realmd
Configure samba to use ADS security and the system keytab
Watch the audit logs fly.
Enable the boolean
Watch it work
Disable boolean back to no work.


Actual results:
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459748): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459748): avc:  denied  { write } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459749): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459749): avc:  denied  { unlink } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
[looneytr@nowhere ~]$ rpm -q samba


Expected results:
Kerberos with samba should just work without enabling the aforementioned boolean.

Additional info:
Full logs of the error, though there are plenty of dupes in here:
time->Tue Aug  1 22:07:50 2017
type=SYSCALL msg=audit(1501646870.253:1459547): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646870.253:1459547): avc:  denied  { write } for  pid=20407 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:07:50 2017
type=SYSCALL msg=audit(1501646870.254:1459548): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646870.254:1459548): avc:  denied  { unlink } for  pid=20407 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:08:55 2017
type=SYSCALL msg=audit(1501646935.861:1459550): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646935.861:1459550): avc:  denied  { unlink } for  pid=20414 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:08:55 2017
type=SYSCALL msg=audit(1501646935.861:1459549): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646935.861:1459549): avc:  denied  { write } for  pid=20414 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:21 2017
type=SYSCALL msg=audit(1501647321.846:1459576): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647321.846:1459576): avc:  denied  { write } for  pid=20629 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:21 2017
type=SYSCALL msg=audit(1501647321.846:1459577): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647321.846:1459577): avc:  denied  { unlink } for  pid=20629 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:25 2017
type=SYSCALL msg=audit(1501647325.194:1459579): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647325.194:1459579): avc:  denied  { unlink } for  pid=20630 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:25 2017
type=SYSCALL msg=audit(1501647325.194:1459578): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647325.194:1459578): avc:  denied  { write } for  pid=20630 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:35:13 2017
type=SYSCALL msg=audit(1501648513.022:1459677): arch=c000003e syscall=87 success=no exit=-13 a0=7f425304ced0 a1=7f424e95d790 a2=7f425304ced0 a3=7fffc8308b40 items=0 ppid=20713 pid=21198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648513.022:1459677): avc:  denied  { unlink } for  pid=21198 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:35:13 2017
type=SYSCALL msg=audit(1501648513.022:1459676): arch=c000003e syscall=2 success=no exit=-13 a0=7f425304a460 a1=2 a2=180 a3=7fffc83089c0 items=0 ppid=20713 pid=21198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648513.022:1459676): avc:  denied  { write } for  pid=21198 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:41:19 2017
type=SYSCALL msg=audit(1501648879.578:1459725): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648879.578:1459725): avc:  denied  { write } for  pid=21446 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:41:19 2017
type=SYSCALL msg=audit(1501648879.578:1459726): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648879.578:1459726): avc:  denied  { unlink } for  pid=21446 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459748): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459748): avc:  denied  { write } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459749): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459749): avc:  denied  { unlink } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file

Comment 2 Milos Malik 2017-08-04 09:18:34 UTC

Could you find out where the host_0 file is located?

Comment 3 Erinn Looney-Triggs 2017-08-04 13:12:08 UTC

/var/tmp/host_0

Thanks.

Comment 4 Vinícius Ferrão 2017-08-04 19:02:04 UTC

+1

I'm affected for this bug too. I've opened a ticket a long time ago but it was done in the "wrong" place: https://bugzilla.redhat.com/show_bug.cgi?id=1477900

Erinn pointed the right place to report issues. As a workarround I've been running the server with SELinux in permissive mode.

Comment 6 Simon Sekidde 2017-08-10 14:11:36 UTC

(In reply to Vinícius Ferrão from comment #4)
> +1
> 
> I'm affected for this bug too. I've opened a ticket a long time ago but it
> was done in the "wrong" place:
> https://bugzilla.redhat.com/show_bug.cgi?id=1477900
> 
> Erinn pointed the right place to report issues. As a workarround I've been
> running the server with SELinux in permissive mode.

Vinicius, 

Simply put the samba domain in permissive as opposed to the entire system 

 semanage  permissive  -a  smbd_t

Comment 7 Teer Sandal 2018-03-20 19:54:16 UTC

I've installed selinux-policy-3.13.1-166.el7_4.9 but it didn't help.
In my case both Samba and SSHD lead to creation of /var/tmp/host_0.
Both Samba and SSHD use Kerberos (GSSAPI) authentication against Active Directory.
So, for example:
after bootstrap /var/tmp/host_0 doesn't exist,
SSHD makes an attempt to GSSAPI-auth and creates /var/tmp/host_0 with SElinux context 'krb5_host_rcache_t',
then Samba makes an attempt to authenticate and fails because domain 'smbd_t' has no rights to access file '/var/tmp/host_0' of context 'krb5_host_rcache_t'.

I found following workaround - create a DropIn file '/etc/systemd/system/sshd.service.d/private_tmp.conf' with contents:
[Service]
PrivateTmp=true

after that SSHD began to create file host_0 in its own directory rather than common /var/tmp.

Comment 8 David Gilbert 2018-06-12 02:21:48 UTC

I've just experienced this error on a box I'm building that uses sssd for user authentication & samba for file shares.

System has selinux-policy-3.13.1-192.el7_5.3.

Weird thing is, this version of selinux-policy has been installed since Apr 12. Errors have (afaict) started occurring since Jun 5. (!!)

Not sure if this is a race condition between sssd & samba, or a regression error in selinux-policy??

Comment 10 Mike Surcouf 2018-06-26 17:31:40 UTC

I have this exact issue using

selinux-policy.noarch                                                                          3.13.1-192.el7_5.3

using

semanage  permissive  -a  smbd_t

for now

Comment 11 Auke Bergsma 2018-07-05 09:20:14 UTC

I can confirm, with Samba 4.7.1-6.el7:
SELinux 3.13.1-192.0.1.el7_5.3 => Samba works
SELinux 3.13.1-192.0.3.el7_5.3 => Samba fails
SELinux 3.13.1-192.0.3.el7_5.4 => Samba fails

(Temporarily) Downgrading SELinux can also be used as a workaround:
sudo yum downgrade selinux-policy selinux-policy-targeted

Comment 12 Mike Surcouf 2018-07-06 07:49:57 UTC

Confirmed SELinux 3.13.1-192.0.3.el7_5.4 => Samba fails

I see this in in QA.
This bug also says fixed in version selinux-policy-3.13.1-174.el7 so is this a regression?

Do you have an expected version that this will be fixed in?

Thanks

Comment 13 Teddy Boot 2018-07-18 07:11:27 UTC

Got the same problem but with older versions:

samba:
4.6.2-12.el7_4

selinux-policy.noarch:
3.13.1-166.el7_4.9

work around as mentioned by Mike works

Comment 15 Erinn Looney-Triggs 2018-08-27 18:03:53 UTC

Continues to plague in 7.5.

Comment 16 David 2018-09-03 00:08:24 UTC

This has recently caused us an outage on all our RHEL 7.5 fileservers with:

samba:
4.7.1-9.el7_5

selinux-policy.noarch:
3.13.1-192.el7_5

Comment 20 errata-xmlrpc 2018-10-30 10:00:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.

akhomic1
apeddire
aukebergsma
baitken
bugzilla.1.evade
erinn.looneytriggs
johannespfau
lvrabec
mgrepl
mike
mmalik
pablo.mendezhernandez
plautrba
pvrabec
sali
shay.fuimaono
ssekidde
teddy.boot
troels
unix_admin
v99glu
vinicius