Bug 1576913 - SELinux is preventing lpqd from 'sendto' accesses on the unix_dgram_socket /var/lib/samba/private/msg.sock/1966.
Summary: SELinux is preventing lpqd from 'sendto' accesses on the unix_dgram_socket /v...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:cd967aa6312f9ab5985b5ede180...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-10 17:03 UTC by Douglas Marques
Modified: 2018-07-25 11:16 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.1-29.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-26 20:44:51 UTC
Type: ---


Attachments (Terms of Use)

Description Douglas Marques 2018-05-10 17:03:08 UTC
Description of problem:
SELinux is preventing lpqd from 'sendto' accesses on the unix_dgram_socket /var/lib/samba/private/msg.sock/1966.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lpqd should be allowed sendto access on the 1966 unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lpqd' --raw | audit2allow -M my-lpqd
# semodule -X 300 -i my-lpqd.pp

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:system_r:winbind_t:s0
Target Objects                /var/lib/samba/private/msg.sock/1966 [
                              unix_dgram_socket ]
Source                        lpqd
Source Path                   lpqd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-24.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.6-302.fc28.x86_64 #1 SMP Wed
                              May 2 00:07:06 UTC 2018 x86_64 x86_64
Alert Count                   48
First Seen                    2018-05-10 13:20:13 -03
Last Seen                     2018-05-10 13:58:50 -03
Local ID                      e7d1c78f-ff24-42b7-936c-93273b6f667b

Raw Audit Messages
type=AVC msg=audit(1525971530.46:314): avc:  denied  { sendto } for  pid=1984 comm="lpqd" path="/var/lib/samba/private/msg.sock/1966" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=unix_dgram_socket permissive=0


Hash: lpqd,smbd_t,winbind_t,unix_dgram_socket,sendto

Version-Release number of selected component:
selinux-policy-3.14.1-24.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.6-302.fc28.x86_64
type:           libreport

Comment 1 dan 2018-05-19 12:06:36 UTC
Confirm here as well:

SELinux is preventing lpqd from 'sendto' accesses on the unix_dgram_socket /var/lib/samba/private/msg.sock/9515.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lpqd should be allowed sendto access on the 9515 unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lpqd' --raw | audit2allow -M my-lpqd
# semodule -X 300 -i my-lpqd.pp

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:system_r:nmbd_t:s0
Target Objects                /var/lib/samba/private/msg.sock/9515 [
                              unix_dgram_socket ]
Source                        lpqd
Source Path                   lpqd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-24.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.8-300.fc28.x86_64 #1 SMP Wed
                              May 9 20:23:40 UTC 2018 x86_64 x86_64
Alert Count                   856
First Seen                    2018-05-17 12:00:11 EDT
Last Seen                     2018-05-19 08:04:45 EDT
Local ID                      2227904f-200b-440f-af62-07029de139f9

Raw Audit Messages
type=AVC msg=audit(1526731485.445:10459): avc:  denied  { sendto } for  pid=9498 comm="lpqd" path="/var/lib/samba/private/msg.sock/9515" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=unix_dgram_socket permissive=0


Hash: lpqd,smbd_t,nmbd_t,unix_dgram_socket,sendto

Comment 2 Fedora Update System 2018-05-24 14:36:47 UTC
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 3 Fedora Update System 2018-05-25 18:43:02 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 4 Fedora Update System 2018-05-26 20:44:51 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Oleg Girko 2018-06-15 16:37:28 UTC
Description of problem:
This might be related to bugs #1563791 and #1576913, but note different tcontext: system_u:system_r:winbind_t:s0 instead of system_u:system_r:nmbd_t:s0.
selinux-policy package is 3.14.1-32.fc28.

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.14-300.fc28.x86_64
type:           libreport

Comment 6 Oleg Girko 2018-06-15 16:41:37 UTC
Please reopen this bug. It's not fixed in selinux-policy-3.14.1-32.fc28.noarch.
Different bug with tcontext=system_u:system_r:nmbd_t:s0 was fixed.

Comment 7 morgan read 2018-06-18 19:16:01 UTC
Description of problem:
Trying to start samba (perhaps)

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.15-300.fc28.x86_64
type:           libreport

Comment 8 morgan read 2018-06-18 19:20:18 UTC
Comments 5 & 7 would seem to suggest that selinux-policy-3.14.1-29.fc28 does not fix this bug

Please reopen

Comment 9 morgan read 2018-06-18 19:30:55 UTC
May be of interest -

...
If you believe that lpqd should be allowed sendto access on the 9895 unix_dgram_socket by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# ausearch -c 'lpqd' --raw | audit2allow -M my-lpqd
# semodule -X 300 -i my-lpqd.pp


# ausearch -c 'lpqd' --raw | audit2allow -M my-lpqd
could not write output file: [Errno 5] Input/output error: 'my-lpqd.te'

Comment 10 Oleg Girko 2018-06-18 19:37:49 UTC
(In reply to morgan read from comment #9)
> # ausearch -c 'lpqd' --raw | audit2allow -M my-lpqd
> could not write output file: [Errno 5] Input/output error: 'my-lpqd.te'

The generated te file is quite trivial:

module lpqd-winbind 1.0;

require {
        type winbind_t;
        type smbd_t;
        class unix_dgram_socket sendto;
}

#============= smbd_t ==============
allow smbd_t winbind_t:unix_dgram_socket sendto;

Of course, everybody can generate a policy module to allow smbd_t to perform sendto to winbind_t:unix_dgram_socket and then load it. but we are interesting in a solution for everybody using Fedora.
Hence, this rule should be included in selinux-policy-targeted.

Comment 11 morgan read 2018-06-18 19:40:21 UTC
Description of problem:
Sorry, same as last time I guess...

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.15-300.fc28.x86_64
type:           libreport

Comment 12 morgan read 2018-06-18 21:08:51 UTC
Description of problem:
I think this might be connected to winbind - trying to get samba working, I started winbind, stopped it, and started it again over the course of a few hours - these bugs seemed to conincide with when it's running...  Just a wild guess

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.15-300.fc28.x86_64
type:           libreport

Comment 13 morgan read 2018-06-18 21:20:13 UTC
Description of problem:
Ditto last time, I'll turn winbind off and see if you hear from me again...

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.15-300.fc28.x86_64
type:           libreport

Comment 14 Al Dunsmuir 2018-07-25 11:16:03 UTC
Description of problem:
Fresh update from F27 to F28.

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.6-200.fc28.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.