Bug 1477900 - SELinux is preventing samba with kerberos
Summary: SELinux is preventing samba with kerberos
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.5
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-03 07:37 UTC by Erinn Looney-Triggs
Modified: 2018-10-30 10:02 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:00:43 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:02:09 UTC

Description Erinn Looney-Triggs 2017-08-03 07:37:16 UTC 
Description of problem:
When using samba with a system that is joined to an AD using realmd, samba attempts to access 'something' with a context of krb5_host_rcache_t. This is denied by default, audit2allow suggests enabling 'samba_export_all_rw' boolean however this is probably way to broad of an allow, and samba should function using kerberos without the above boolean being enabled.


Version-Release number of selected component (if applicable):
samba-4.6.2-8.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch

How reproducible:
Join system to AD with realmd
Configure samba to use ADS security and the system keytab
Watch the audit logs fly.
Enable the boolean
Watch it work
Disable boolean back to no work.


Actual results:
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459748): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459748): avc:  denied  { write } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459749): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459749): avc:  denied  { unlink } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
[looneytr@nowhere ~]$ rpm -q samba


Expected results:
Kerberos with samba should just work without enabling the aforementioned boolean.

Additional info:
Full logs of the error, though there are plenty of dupes in here:
time->Tue Aug  1 22:07:50 2017
type=SYSCALL msg=audit(1501646870.253:1459547): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646870.253:1459547): avc:  denied  { write } for  pid=20407 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:07:50 2017
type=SYSCALL msg=audit(1501646870.254:1459548): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646870.254:1459548): avc:  denied  { unlink } for  pid=20407 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:08:55 2017
type=SYSCALL msg=audit(1501646935.861:1459550): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646935.861:1459550): avc:  denied  { unlink } for  pid=20414 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:08:55 2017
type=SYSCALL msg=audit(1501646935.861:1459549): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646935.861:1459549): avc:  denied  { write } for  pid=20414 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:21 2017
type=SYSCALL msg=audit(1501647321.846:1459576): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647321.846:1459576): avc:  denied  { write } for  pid=20629 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:21 2017
type=SYSCALL msg=audit(1501647321.846:1459577): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647321.846:1459577): avc:  denied  { unlink } for  pid=20629 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:25 2017
type=SYSCALL msg=audit(1501647325.194:1459579): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647325.194:1459579): avc:  denied  { unlink } for  pid=20630 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:25 2017
type=SYSCALL msg=audit(1501647325.194:1459578): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647325.194:1459578): avc:  denied  { write } for  pid=20630 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:35:13 2017
type=SYSCALL msg=audit(1501648513.022:1459677): arch=c000003e syscall=87 success=no exit=-13 a0=7f425304ced0 a1=7f424e95d790 a2=7f425304ced0 a3=7fffc8308b40 items=0 ppid=20713 pid=21198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648513.022:1459677): avc:  denied  { unlink } for  pid=21198 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:35:13 2017
type=SYSCALL msg=audit(1501648513.022:1459676): arch=c000003e syscall=2 success=no exit=-13 a0=7f425304a460 a1=2 a2=180 a3=7fffc83089c0 items=0 ppid=20713 pid=21198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648513.022:1459676): avc:  denied  { write } for  pid=21198 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:41:19 2017
type=SYSCALL msg=audit(1501648879.578:1459725): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648879.578:1459725): avc:  denied  { write } for  pid=21446 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:41:19 2017
type=SYSCALL msg=audit(1501648879.578:1459726): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648879.578:1459726): avc:  denied  { unlink } for  pid=21446 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459748): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459748): avc:  denied  { write } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459749): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459749): avc:  denied  { unlink } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
Comment 2 Milos Malik 2017-08-04 09:18:34 UTC 
Could you find out where the host_0 file is located?
Comment 3 Erinn Looney-Triggs 2017-08-04 13:12:08 UTC 
/var/tmp/host_0

Thanks.
Comment 4 Vinícius Ferrão 2017-08-04 19:02:04 UTC 
+1

I'm affected for this bug too. I've opened a ticket a long time ago but it was done in the "wrong" place: https://bugzilla.redhat.com/show_bug.cgi?id=1477900

Erinn pointed the right place to report issues. As a workarround I've been running the server with SELinux in permissive mode.
Comment 6 Simon Sekidde 2017-08-10 14:11:36 UTC 
(In reply to Vinícius Ferrão from comment #4)
> +1
> 
> I'm affected for this bug too. I've opened a ticket a long time ago but it
> was done in the "wrong" place:
> https://bugzilla.redhat.com/show_bug.cgi?id=1477900
> 
> Erinn pointed the right place to report issues. As a workarround I've been
> running the server with SELinux in permissive mode.

Vinicius, 

Simply put the samba domain in permissive as opposed to the entire system 

 semanage  permissive  -a  smbd_t
Comment 7 Teer Sandal 2018-03-20 19:54:16 UTC 
I've installed selinux-policy-3.13.1-166.el7_4.9 but it didn't help.
In my case both Samba and SSHD lead to creation of /var/tmp/host_0.
Both Samba and SSHD use Kerberos (GSSAPI) authentication against Active Directory.
So, for example:
after bootstrap /var/tmp/host_0 doesn't exist,
SSHD makes an attempt to GSSAPI-auth and creates /var/tmp/host_0 with SElinux context 'krb5_host_rcache_t',
then Samba makes an attempt to authenticate and fails because domain 'smbd_t' has no rights to access file '/var/tmp/host_0' of context 'krb5_host_rcache_t'.

I found following workaround - create a DropIn file '/etc/systemd/system/sshd.service.d/private_tmp.conf' with contents:
[Service]
PrivateTmp=true

after that SSHD began to create file host_0 in its own directory rather than common /var/tmp.
Comment 8 David Gilbert 2018-06-12 02:21:48 UTC 
I've just experienced this error on a box I'm building that uses sssd for user authentication & samba for file shares.

System has selinux-policy-3.13.1-192.el7_5.3.

Weird thing is, this version of selinux-policy has been installed since Apr 12. Errors have (afaict) started occurring since Jun 5. (!!)

Not sure if this is a race condition between sssd & samba, or a regression error in selinux-policy??
Comment 10 Mike Surcouf 2018-06-26 17:31:40 UTC 
I have this exact issue using

selinux-policy.noarch                                                                          3.13.1-192.el7_5.3

using

semanage  permissive  -a  smbd_t

for now
Comment 11 Auke Bergsma 2018-07-05 09:20:14 UTC 
I can confirm, with Samba 4.7.1-6.el7:
SELinux 3.13.1-192.0.1.el7_5.3 => Samba works
SELinux 3.13.1-192.0.3.el7_5.3 => Samba fails
SELinux 3.13.1-192.0.3.el7_5.4 => Samba fails

(Temporarily) Downgrading SELinux can also be used as a workaround:
sudo yum downgrade selinux-policy selinux-policy-targeted
Comment 12 Mike Surcouf 2018-07-06 07:49:57 UTC 
Confirmed SELinux 3.13.1-192.0.3.el7_5.4 => Samba fails

I see this in in QA.
This bug also says fixed in version selinux-policy-3.13.1-174.el7 so is this a regression?

Do you have an expected version that this will be fixed in?

Thanks
Comment 13 Teddy Boot 2018-07-18 07:11:27 UTC 
Got the same problem but with older versions:

samba:
4.6.2-12.el7_4

selinux-policy.noarch:
3.13.1-166.el7_4.9

work around as mentioned by Mike works
Comment 15 Erinn Looney-Triggs 2018-08-27 18:03:53 UTC 
Continues to plague in 7.5.
Comment 16 David 2018-09-03 00:08:24 UTC 
This has recently caused us an outage on all our RHEL 7.5 fileservers with:

samba:
4.7.1-9.el7_5

selinux-policy.noarch:
3.13.1-192.el7_5
Comment 20 errata-xmlrpc 2018-10-30 10:00:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Note You need to log in before you can comment on or make changes to this bug.