Bug 1889533 - allow winbind_t ephemeral_port_t:tcp_socket name_connect;
Summary: allow winbind_t ephemeral_port_t:tcp_socket name_connect;
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-19 22:23 UTC by Alois Mahdal
Modified: 2020-11-14 05:39 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-20 10:45:07 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Alois Mahdal 2020-10-19 22:23:14 UTC
Description of problem
======================

When setting up for upgrade test using /CoreOS/samba/Preupgrade, we see this:


    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Max kernel policy version:      31
    selinux-policy-3.13.1-268.el7_9.1.noarch
    ----
    time->Mon Oct 19 20:29:31 2020
    type=PROCTITLE msg=audit(1603132171.257:62): proctitle=2F7573722F7362696E2F77696E62696E6464002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
    type=SYSCALL msg=audit(1603132171.257:62): arch=c0000015 syscall=102 success=no exit=-13 a0=3 a1=3ffff4dab160 a2=10 a3=0 items=0 ppid=4966 pid=4968 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
    type=AVC msg=audit(1603132171.257:62): avc:  denied  { name_connect } for  pid=4968 comm="winbindd" dest=49674 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
    ----
    time->Mon Oct 19 20:29:31 2020
    type=PROCTITLE msg=audit(1603132171.417:63): proctitle=2F7573722F7362696E2F77696E62696E6464002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
    type=SYSCALL msg=audit(1603132171.417:63): arch=c0000015 syscall=102 success=no exit=-13 a0=3 a1=3ffff4dab160 a2=10 a3=0 items=0 ppid=4966 pid=4968 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
    type=AVC msg=audit(1603132171.417:63): avc:  denied  { name_connect } for  pid=4968 comm="winbindd" dest=49674 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
    ----
    time->Mon Oct 19 20:29:32 2020
    type=PROCTITLE msg=audit(1603132172.187:64): proctitle=2F7573722F7362696E2F77696E62696E6464002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
    type=SYSCALL msg=audit(1603132172.187:64): arch=c0000015 syscall=102 success=no exit=-13 a0=3 a1=3ffff4dab210 a2=10 a3=0 items=0 ppid=4966 pid=5008 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
    type=AVC msg=audit(1603132172.187:64): avc:  denied  { name_connect } for  pid=5008 comm="winbindd" dest=49674 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
    ----
    time->Mon Oct 19 20:29:32 2020
    type=PROCTITLE msg=audit(1603132172.397:65): proctitle=2F7573722F7362696E2F77696E62696E6464002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
    type=SYSCALL msg=audit(1603132172.397:65): arch=c0000015 syscall=102 success=no exit=-13 a0=3 a1=3ffff4dab210 a2=10 a3=0 items=0 ppid=4966 pid=5008 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
    type=AVC msg=audit(1603132172.397:65): avc:  denied  { name_connect } for  pid=5008 comm="winbindd" dest=49674 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0


audit2allow says:

    allow winbind_t ephemeral_port_t:tcp_socket name_connect;


Version-Release number of selected component
============================================

selinux-policy-3.13.1-268.el7_9.1.noarch


How reproducible
================

Seen it couple times in the last run.


Steps to Reproduce
==================

See http://pkgs.devel.redhat.com/cgit/tests/samba/tree/Preupgrade/runtest.sh

(distribution_upgrade__at_src returns true)


Actual results
==============

AVC


Expected results
================

No AVC


Additional info
===============

Comment 2 Alois Mahdal 2020-10-19 22:30:36 UTC
Also tracked here: https://issues.redhat.com/browse/OAMG-4053

Comment 3 Lukas Vrabec 2020-10-20 10:45:07 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. Current minor release will be in Maintenance Support 2 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 2 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.