1855215 – selinux prevents adcli from executing /usr/bin/net command through sssd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1855215 - selinux prevents adcli from executing /usr/bin/net command through sssd

Summary: selinux prevents adcli from executing /usr/bin/net command through sssd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.5
Assignee:	Patrik Koncity
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1793727 1842946 1969483
TreeView+	depends on / blocked

Reported:	2020-07-09 09:12 UTC by Niranjan Mallapadi Raghavender
Modified:	2023-09-15 00:34 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.14.3-79.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 19:42:28 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:4420	0	None	None	None	2021-11-09 19:42:56 UTC

Description Niranjan Mallapadi Raghavender 2020-07-09 09:12:16 UTC

Description of problem:
selinux prevents adcli from executing /usr/bin/net command through sssd. process. 

adcli when called through sssd fails to execute /usr/bin/net command. 

<snip>
type=AVC msg=audit(1594283288.118:2290): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594283288.118:2291): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
</snip>



Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.3-48.el8.noarch
libselinux-2.9-3.el8.x86_64
selinux-policy-3.14.3-48.el8.noarch
libselinux-utils-2.9-3.el8.x86_64
sssd-2.3.0-4.el8.x86_64

How reproducible:

1. Join to AD using adcli and membership software samba
$ realm join T2ADPY12R83G.COM --client-software=sssd --server-software=active-directory --membership-software=samba -v



2. Modify sssd.conf to specify ad_update_samba_machine_account_password = True
3.  Reset machine password (setpwdLastSet=0)

4. Restart sssd

Actual results:

sssd calls adcli which adds  some data by calling /usr/bin/net command . and this fails. 

From the sssd domain logs:

 * Trying to set Samba secret.
 ! Cannot run [/usr/bin/net]: [13][Permission denied].
 ! Failed to set Samba computer account password.
 * Trying to set domain SID S-1-5-21-3755728407-3718717906-4106828179 for Samba.
 ! Cannot run [/usr/bin/net]: [13][Permission denied].
 ! Failed to set Samba domain SID.
 * Failed to add Samba specific data, smbd or winbindd might not work as expected.


Expected results:
adcli when called through sssd process should be able to execute /usr/bin/net command. 

Additional info:

AVC denial message in audit logs:

type=AVC msg=audit(1594283288.118:2290): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594283288.118:2291): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0


[root@vm-10-0-110-34 sssd]# ls -lZ /usr/sbin/adcli
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 162504 Jun 15 10:33 /usr/sbin/adcli
[root@vm-10-0-110-34 sssd]# ps -efZ | grep sssd
system_u:system_r:sssd_t:s0     root       25901       1  0 04:27 ?        00:00:00 /usr/sbin/sssd -i --logger=files
system_u:system_r:sssd_t:s0     root       25902   25901  0 04:27 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
system_u:system_r:sssd_t:s0     root       25903   25901  0 04:27 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain t2adpy12r83g.com --uid 0 --gid 0 --logger=files
system_u:system_r:sssd_t:s0     root       25904   25901  0 04:27 ?        00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
system_u:system_r:sssd_t:s0     root       25905   25901  0 04:27 ?        00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 26746 26044  0 05:09 pts/0 00:00:00 grep --color=auto sssd
[root@vm-10-0-110-34 sssd]# which net
/usr/bin/net
[root@vm-10-0-110-34 sssd]# ls -lZ /usr/bin/net
-rwxr-xr-x. 1 root root system_u:object_r:samba_net_exec_t:s0 948448 Jul  1 05:24 /usr/bin/net


<sssd.conf>

[sssd]
domains = t2adpy12r83g.com
config_file_version = 2
services = nss, pam

[domain/t2adpy12r83g.com]
ad_domain = t2adpy12r83g.com
krb5_realm = T2ADPY12R83G.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_maximum_machine_account_password_age = 1
ad_machine_account_password_renewal_opts = 300:15
ad_update_samba_machine_account_password = True
debug_level = 9
</sssd.conf>

Comment 1 Lukas Slebodnik 2020-07-09 09:26:36 UTC

> type=AVC msg=audit(1594283288.118:2290): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1594283288.118:2291): avc:  denied  { execute } for  pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0

sssd does not execute /usr/bin/net directly.
It might be good to have type transition for adcli the same was as for sssd selinux manager.

sh# sesearch -T -s sssd_t -c process
type_transition sssd_t abrt_helper_exec_t:process abrt_helper_t;
type_transition sssd_t chkpwd_exec_t:process chkpwd_t;
type_transition sssd_t sssd_selinux_manager_exec_t:process sssd_selinux_manager_t;
type_transition sssd_t updpwd_exec_t:process updpwd_t;

But that would probably require different fcontext for /usr/bin/adcli

sh# matchpathcon /usr/bin/adcli
/usr/bin/adcli  system_u:object_r:bin_t:s0
sh# matchpathcon /usr/bin/net
/usr/bin/net    system_u:object_r:samba_net_exec_t:s0

Comment 6 Patrik Koncity 2021-08-04 10:55:18 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/824

Comment 7 Zdenek Pytela 2021-08-23 12:00:28 UTC

Commit to backport:

commit 0feb53acc00aa74ad3946830914f6c27f27c711a (upstream/rawhide, rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Tue Aug 3 14:54:07 2021 +0200

    Allow sssd to set samba setting

and

https://github.com/fedora-selinux/selinux-policy/pull/843

Comment 20 errata-xmlrpc 2021-11-09 19:42:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420

Comment 21 Red Hat Bugzilla 2023-09-15 00:34:04 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.