Bug 1477900 - SELinux is preventing samba with kerberos
SELinux is preventing samba with kerberos
Status: MODIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Simon Sekidde
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-03 03:37 EDT by Erinn Looney-Triggs
Modified: 2018-03-20 15:54 EDT (History)
12 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-174.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erinn Looney-Triggs 2017-08-03 03:37:16 EDT
Description of problem:
When using samba with a system that is joined to an AD using realmd, samba attempts to access 'something' with a context of krb5_host_rcache_t. This is denied by default, audit2allow suggests enabling 'samba_export_all_rw' boolean however this is probably way to broad of an allow, and samba should function using kerberos without the above boolean being enabled.


Version-Release number of selected component (if applicable):
samba-4.6.2-8.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch

How reproducible:
Join system to AD with realmd
Configure samba to use ADS security and the system keytab
Watch the audit logs fly.
Enable the boolean
Watch it work
Disable boolean back to no work.


Actual results:
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459748): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459748): avc:  denied  { write } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459749): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459749): avc:  denied  { unlink } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
[looneytr@nowhere ~]$ rpm -q samba


Expected results:
Kerberos with samba should just work without enabling the aforementioned boolean.

Additional info:
Full logs of the error, though there are plenty of dupes in here:
time->Tue Aug  1 22:07:50 2017
type=SYSCALL msg=audit(1501646870.253:1459547): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646870.253:1459547): avc:  denied  { write } for  pid=20407 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:07:50 2017
type=SYSCALL msg=audit(1501646870.254:1459548): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646870.254:1459548): avc:  denied  { unlink } for  pid=20407 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:08:55 2017
type=SYSCALL msg=audit(1501646935.861:1459550): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646935.861:1459550): avc:  denied  { unlink } for  pid=20414 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:08:55 2017
type=SYSCALL msg=audit(1501646935.861:1459549): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501646935.861:1459549): avc:  denied  { write } for  pid=20414 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:21 2017
type=SYSCALL msg=audit(1501647321.846:1459576): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647321.846:1459576): avc:  denied  { write } for  pid=20629 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:21 2017
type=SYSCALL msg=audit(1501647321.846:1459577): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647321.846:1459577): avc:  denied  { unlink } for  pid=20629 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:25 2017
type=SYSCALL msg=audit(1501647325.194:1459579): arch=c000003e syscall=87 success=no exit=-13 a0=7f9032652e40 a1=7f902d778790 a2=7f9032652e40 a3=7ffe2af3d850 items=0 ppid=20342 pid=20630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647325.194:1459579): avc:  denied  { unlink } for  pid=20630 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:15:25 2017
type=SYSCALL msg=audit(1501647325.194:1459578): arch=c000003e syscall=2 success=no exit=-13 a0=7f9032652e40 a1=2 a2=180 a3=7ffe2af3d6d0 items=0 ppid=20342 pid=20630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501647325.194:1459578): avc:  denied  { write } for  pid=20630 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:35:13 2017
type=SYSCALL msg=audit(1501648513.022:1459677): arch=c000003e syscall=87 success=no exit=-13 a0=7f425304ced0 a1=7f424e95d790 a2=7f425304ced0 a3=7fffc8308b40 items=0 ppid=20713 pid=21198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648513.022:1459677): avc:  denied  { unlink } for  pid=21198 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:35:13 2017
type=SYSCALL msg=audit(1501648513.022:1459676): arch=c000003e syscall=2 success=no exit=-13 a0=7f425304a460 a1=2 a2=180 a3=7fffc83089c0 items=0 ppid=20713 pid=21198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648513.022:1459676): avc:  denied  { write } for  pid=21198 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:41:19 2017
type=SYSCALL msg=audit(1501648879.578:1459725): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648879.578:1459725): avc:  denied  { write } for  pid=21446 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:41:19 2017
type=SYSCALL msg=audit(1501648879.578:1459726): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648879.578:1459726): avc:  denied  { unlink } for  pid=21446 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459748): arch=c000003e syscall=2 success=no exit=-13 a0=7f6de225d050 a1=2 a2=180 a3=7fff86741f30 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459748): avc:  denied  { write } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
----
time->Tue Aug  1 22:42:43 2017
type=SYSCALL msg=audit(1501648963.279:1459749): arch=c000003e syscall=87 success=no exit=-13 a0=7f6de225cf40 a1=7f6ddd777790 a2=7f6de225cf40 a3=7fff867420b0 items=0 ppid=21406 pid=21495 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1501648963.279:1459749): avc:  denied  { unlink } for  pid=21495 comm="smbd" name="host_0" dev="dm-2" ino=69 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
Comment 2 Milos Malik 2017-08-04 05:18:34 EDT
Could you find out where the host_0 file is located?
Comment 3 Erinn Looney-Triggs 2017-08-04 09:12:08 EDT
/var/tmp/host_0

Thanks.
Comment 4 Vinícius Ferrão 2017-08-04 15:02:04 EDT
+1

I'm affected for this bug too. I've opened a ticket a long time ago but it was done in the "wrong" place: https://bugzilla.redhat.com/show_bug.cgi?id=1477900

Erinn pointed the right place to report issues. As a workarround I've been running the server with SELinux in permissive mode.
Comment 6 Simon Sekidde 2017-08-10 10:11:36 EDT
(In reply to Vinícius Ferrão from comment #4)
> +1
> 
> I'm affected for this bug too. I've opened a ticket a long time ago but it
> was done in the "wrong" place:
> https://bugzilla.redhat.com/show_bug.cgi?id=1477900
> 
> Erinn pointed the right place to report issues. As a workarround I've been
> running the server with SELinux in permissive mode.

Vinicius, 

Simply put the samba domain in permissive as opposed to the entire system 

 semanage  permissive  -a  smbd_t
Comment 7 Teer Sandal 2018-03-20 15:54:16 EDT
I've installed selinux-policy-3.13.1-166.el7_4.9 but it didn't help.
In my case both Samba and SSHD lead to creation of /var/tmp/host_0.
Both Samba and SSHD use Kerberos (GSSAPI) authentication against Active Directory.
So, for example:
after bootstrap /var/tmp/host_0 doesn't exist,
SSHD makes an attempt to GSSAPI-auth and creates /var/tmp/host_0 with SElinux context 'krb5_host_rcache_t',
then Samba makes an attempt to authenticate and fails because domain 'smbd_t' has no rights to access file '/var/tmp/host_0' of context 'krb5_host_rcache_t'.

I found following workaround - create a DropIn file '/etc/systemd/system/sshd.service.d/private_tmp.conf' with contents:
[Service]
PrivateTmp=true

after that SSHD began to create file host_0 in its own directory rather than common /var/tmp.

Note You need to log in before you can comment on or make changes to this bug.