Description of problem: named cannot start if it is using Samba's bind_dlz module due to selinux if set enforcing. Version-Release number of selected component (if applicable): samba-4.10.6-0.fc30.x86_64 samba-client-libs-4.10.6-0.fc30.x86_64 samba-common-4.10.6-0.fc30.noarch samba-common-libs-4.10.6-0.fc30.x86_64 samba-common-tools-4.10.6-0.fc30.x86_64 samba-libs-4.10.6-0.fc30.x86_64 samba-vfs-cephfs-4.10.6-0.fc30.x86_64 bind-9.11.8-1.fc30.x86_64 bind-dnssec-utils-9.11.8-1.fc30.x86_64 bind-export-libs-9.11.8-1.fc30.x86_64 bind-libs-9.11.8-1.fc30.x86_64 bind-libs-lite-9.11.8-1.fc30.x86_64 bind-license-9.11.8-1.fc30.noarch bind-utils-9.11.8-1.fc30.x86_64 checkpolicy-2.9-1.fc30.x86_64 policycoreutils-2.9-1.fc30.x86_64 policycoreutils-python-utils-2.9-1.fc30.noarch python2-policycoreutils-2.9-1.fc30.noarch python3-policycoreutils-2.9-1.fc30.noarch selinux-policy-3.14.3-43.fc30.noarch selinux-policy-targeted-3.14.3-43.fc30.noarch Additional info: chcon -t named_conf_t /var/lib/samba/private/dns.keytab chcon -t named_conf_t /var/lib/samba/bind-dns/named.conf.update chcon -t named_var_run_t /var/lib/samba/bind-dns/dns chcon -R -t named_var_run_t /var/lib/samba/bind-dns/dns/* chcon -R -t named_var_run_t /var/lib/samba/bind-dns/dns/sam.ldb.d/* Fixes the problem. File contexts below: /var/lib/samba/private/dns.keytab system_u:object_r:named_conf_t:s0 /var/lib/samba/bind-dns/named.conf.update system_u:object_r:named_conf_t:s0 /var/lib/samba/bind-dns/named.conf system_u:object_r:named_conf_t:s0 /var/lib/samba/bind-dns/dns/sam.ldb.d(/.*)? system_u:object_r:named_var_run_t:s0 /var/lib/samba/bind-dns/dns(/.*)? system_u:object_r:named_var_run_t:s0 only partially do. I imagine this has something to do with precedence as a restorecon -Rv /var/lib/samba does not relabel all of the files as expected, some end up samba_var_t, I believe it was. As I need Heimdal krb, my samba is self compiled, but that isn't the issue it is the SELinux policy that is. This may only be partial fix as samba may have a problem if it falls under the policy (targeted). I do know the above file contexts due need to be part of the solution. I do not know if file contexts can be part of a selinux boolean, if they can, maybe it should be samba_bind_dlz or some such. As a side note, I don't know why, but auditd does NOT catch the named problems. named just won't start if restarted. If running, it just starts complaining about write denials.
I changed to Fedora 30, it didn't stick.
Use correct package. There is no samba4 anymore.
Lukas, can you suggest what should we do here? The files in /var/lib/samba/bind-dns aren't packaged, they get generated when Samba AD is configured. So I guess we want to have those file contexts defined in the system's SELinux policy, right?
Hi Alexander, Yes, we should label them, but could you please reproduce the issue and attach the SELinux denials? Thanks, Lukas.
Trever, could you please share the SELinux denials from audit log?
Moving to selinux-policy
audit[1064]: AVC avc: denied { map } for pid=1064 comm="isc-worker0001" path="/var/lib/samba/bind-dns/dns/sam.ldb" dev="dm-1" ino=1180668 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1 This is the ONLY message. When enforcing is enabled, it disappears. Instead, you get this: samba_dlz: ldb: ltdb: tdb(/var/lib/samba/bind-dns/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=Sxxxxx,DC=xxxxxxxxY,DC=ORG.ldb): tdb_write failed at 1347584 len=32860 (Permission denied) named[6152]: samba_dlz: Failed to connect to Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb: Unable to open tdb '/var/lib/samba/bind-dns/dns/sam.ldb': Permission denied: Operations error I believe all the files in that directory require access by both bind and samba. https://www.linuxquestions.org/questions/fedora-35/selinux-permissions-for-samba-dc-with-bind-backend-on-fedora-29-a-4175653275-print/ is where I got the idea to try the file contexts.
commit af5e2c096ff4cb103da835127ccafbe6ad62dda7 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Aug 12 10:45:03 2019 +0200 Allow named_t domain to read/write samba_var_t files BZ(1738794)
I am guessing the last is a git commit to the targeted policy (maybe strict as well). Can we see this in F30? Am I looking in the right place to see this commit? https://github.com/fedora-selinux/selinux-policy
Fix backported also to F30: commit 3c6336987304cb6494bca63be9bc19e9e56c9d7a (HEAD -> f30, origin/f30) Author: Lukas Vrabec <lvrabec> Date: Mon Aug 12 10:45:03 2019 +0200 Allow named_t domain to read/write samba_var_t files BZ(1738794) Thanks, Lukas.
I have been thinking about this. Please, forgive me if I am wrong here: samba_var_t also includes all the samba domain files, including GPO, Kerberos password database, etc. I know this has no DAC_* stuff so file permissions would still block this access. However, if this is about MAC style security, would it be better to create a different type for these files/directories so that named is restricted to just these. I am sure there are issues of type explosion, etc. that have to be considered. I am just thinking that as sensitive as the other samba_var_t files are, this may be worth thinking about.
FEDORA-2019-be14ea0375 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-be14ea0375
selinux-policy-3.14.3-45.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-be14ea0375
selinux-policy-3.14.3-45.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.