Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1477900

Summary: SELinux is preventing samba with kerberos
Product: Red Hat Enterprise Linux 7 Reporter: Erinn Looney-Triggs <erinn.looneytriggs>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.5CC: akhomic1, apeddire, aukebergsma, baitken, bugzilla.1.evade, erinn.looneytriggs, johannespfau, lvrabec, mgrepl, mike, mmalik, pablo.mendezhernandez, plautrba, pvrabec, sali, shay.fuimaono, ssekidde, teddy.boot, troels, unix_admin, v99glu, vinicius
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:00:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Erinn Looney-Triggs 2017-08-03 07:37:16 UTC 
Description of problem:
When using samba with a system that is joined to an AD using realmd, samba attempts to access 'something' with a context of krb5_host_rcache_t. This is denied by default, audit2allow suggests enabling 'samba_export_all_rw' boolean however this is probably way to broad of an allow, and samba should function using kerberos without the above boolean being enabled.


Version-Release number of selected component (if applicable):
samba-4.6.2-8.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch

How reproducible:
Join system to AD with realmd
Configure samba to use ADS security and the system keytab
Watch the audit logs fly.
Enable the boolean
Watch it work
Disable boolean back to no work.


Actual results:
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459748): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459748): avc:  denied  { write } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459749): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459749): avc:  denied  { unlink } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
[looneytr@nowhere ~]$ rpm -q samba


Expected results:
Kerberos with samba should just work without enabling the aforementioned boolean.

Additional info:
Full logs of the error, though there are plenty of dupes in here:
time->Tue Aug  1 22:07:50 2017
type=SYSCALL msg=audit(1501646870.253:1459547): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646870.253:1459547): avc:  denied  { write } for  pid=20407 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:07:50 2017
type=SYSCALL msg=audit(1501646870.254:1459548): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646870.254:1459548): avc:  denied  { unlink } for  pid=20407 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:08:55 2017
type=SYSCALL msg=audit(1501646935.861:1459550): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646935.861:1459550): avc:  denied  { unlink } for  pid=20414 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:08:55 2017
type=SYSCALL msg=audit(1501646935.861:1459549): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646935.861:1459549): avc:  denied  { write } for  pid=20414 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:21 2017
type=SYSCALL msg=audit(1501647321.846:1459576): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647321.846:1459576): avc:  denied  { write } for  pid=20629 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:21 2017
type=SYSCALL msg=audit(1501647321.846:1459577): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647321.846:1459577): avc:  denied  { unlink } for  pid=20629 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:25 2017
type=SYSCALL msg=audit(1501647325.194:1459579): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647325.194:1459579): avc:  denied  { unlink } for  pid=20630 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:25 2017
type=SYSCALL msg=audit(1501647325.194:1459578): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647325.194:1459578): avc:  denied  { write } for  pid=20630 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:35:13 2017
type=SYSCALL msg=audit(1501648513.022:1459677): arch=c000003e syscall=87 success=no exit=-13 a0=7f425304ced0 a1=7f424e95d790 a2=7f425304ced0 a3=7fffc8308b40 items=0 ppid=20713 pid=21198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648513.022:1459677): avc:  denied  { unlink } for  pid=21198 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:35:13 2017
type=SYSCALL msg=audit(1501648513.022:1459676): arch=c000003e syscall=2 success=no exit=-13 a0=7f425304a460 a1=2 a2=180 a3=7fffc83089c0 items=0 ppid=20713 pid=21198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648513.022:1459676): avc:  denied  { write } for  pid=21198 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:41:19 2017
type=SYSCALL msg=audit(1501648879.578:1459725): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648879.578:1459725): avc:  denied  { write } for  pid=21446 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:41:19 2017
type=SYSCALL msg=audit(1501648879.578:1459726): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648879.578:1459726): avc:  denied  { unlink } for  pid=21446 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459748): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459748): avc:  denied  { write } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459749): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459749): avc:  denied  { unlink } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
Comment 2 Milos Malik 2017-08-04 09:18:34 UTC 
Could you find out where the host_0 file is located?
Comment 3 Erinn Looney-Triggs 2017-08-04 13:12:08 UTC 
/var/tmp/host_0

Thanks.
Comment 4 Vinícius Ferrão 2017-08-04 19:02:04 UTC 
+1

I'm affected for this bug too. I've opened a ticket a long time ago but it was done in the "wrong" place: https://bugzilla.redhat.com/show_bug.cgi?id=1477900

Erinn pointed the right place to report issues. As a workarround I've been running the server with SELinux in permissive mode.
Comment 6 Simon Sekidde 2017-08-10 14:11:36 UTC 
(In reply to Vinícius Ferrão from comment #4)
> +1
> 
> I'm affected for this bug too. I've opened a ticket a long time ago but it
> was done in the "wrong" place:
> https://bugzilla.redhat.com/show_bug.cgi?id=1477900
> 
> Erinn pointed the right place to report issues. As a workarround I've been
> running the server with SELinux in permissive mode.

Vinicius, 

Simply put the samba domain in permissive as opposed to the entire system 

 semanage  permissive  -a  smbd_t
Comment 7 Teer Sandal 2018-03-20 19:54:16 UTC 
I've installed selinux-policy-3.13.1-166.el7_4.9 but it didn't help.
In my case both Samba and SSHD lead to creation of /var/tmp/host_0.
Both Samba and SSHD use Kerberos (GSSAPI) authentication against Active Directory.
So, for example:
after bootstrap /var/tmp/host_0 doesn't exist,
SSHD makes an attempt to GSSAPI-auth and creates /var/tmp/host_0 with SElinux context 'krb5_host_rcache_t',
then Samba makes an attempt to authenticate and fails because domain 'smbd_t' has no rights to access file '/var/tmp/host_0' of context 'krb5_host_rcache_t'.

I found following workaround - create a DropIn file '/etc/systemd/system/sshd.service.d/private_tmp.conf' with contents:
[Service]
PrivateTmp=true

after that SSHD began to create file host_0 in its own directory rather than common /var/tmp.
Comment 8 David Gilbert 2018-06-12 02:21:48 UTC 
I've just experienced this error on a box I'm building that uses sssd for user authentication & samba for file shares.

System has selinux-policy-3.13.1-192.el7_5.3.

Weird thing is, this version of selinux-policy has been installed since Apr 12. Errors have (afaict) started occurring since Jun 5. (!!)

Not sure if this is a race condition between sssd & samba, or a regression error in selinux-policy??
Comment 10 Mike Surcouf 2018-06-26 17:31:40 UTC 
I have this exact issue using

selinux-policy.noarch                                                                          3.13.1-192.el7_5.3

using

semanage  permissive  -a  smbd_t

for now
Comment 11 Auke Bergsma 2018-07-05 09:20:14 UTC 
I can confirm, with Samba 4.7.1-6.el7:
SELinux 3.13.1-192.0.1.el7_5.3 => Samba works
SELinux 3.13.1-192.0.3.el7_5.3 => Samba fails
SELinux 3.13.1-192.0.3.el7_5.4 => Samba fails

(Temporarily) Downgrading SELinux can also be used as a workaround:
sudo yum downgrade selinux-policy selinux-policy-targeted
Comment 12 Mike Surcouf 2018-07-06 07:49:57 UTC 
Confirmed SELinux 3.13.1-192.0.3.el7_5.4 => Samba fails

I see this in in QA.
This bug also says fixed in version selinux-policy-3.13.1-174.el7 so is this a regression?

Do you have an expected version that this will be fixed in?

Thanks
Comment 13 Teddy Boot 2018-07-18 07:11:27 UTC 
Got the same problem but with older versions:

samba:
4.6.2-12.el7_4

selinux-policy.noarch:
3.13.1-166.el7_4.9

work around as mentioned by Mike works
Comment 15 Erinn Looney-Triggs 2018-08-27 18:03:53 UTC 
Continues to plague in 7.5.
Comment 16 David 2018-09-03 00:08:24 UTC 
This has recently caused us an outage on all our RHEL 7.5 fileservers with:

samba:
4.7.1-9.el7_5

selinux-policy.noarch:
3.13.1-192.el7_5
Comment 20 errata-xmlrpc 2018-10-30 10:00:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111