2027740 – smbcontrol fails in SELinux Enforcing mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2027740 - smbcontrol fails in SELinux Enforcing mode

Summary: smbcontrol fails in SELinux Enforcing mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.6
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	2025931 2027751
Blocks:	2027125
TreeView+	depends on / blocked

Reported:	2021-11-30 14:40 UTC by Kaleem
Modified:	2022-05-10 16:24 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.14.3-85.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:	2025931
Environment:
Last Closed:	2022-05-10 15:15:45 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-104349	0	None	None	None	2021-11-30 14:46:37 UTC
Red Hat Product Errata	RHBA-2022:1995	0	None	None	None	2022-05-10 15:16:08 UTC

Description Kaleem 2021-11-30 14:40:55 UTC

+++ This bug was initially created as a clone of Bug #2025931 +++

Description of problem:


Version-Release number of selected component (if applicable):
# cat /etc/fedora-release
Fedora release 35 (Thirty Five)
 
# rpm -q samba-common-tools selinux-policy
samba-common-tools-4.15.2-3.fc35.x86_64
selinux-policy-35.5-1.fc35.noarch

How reproducible:
Always

Steps to Reproduce:
1. setenforce 1
2. dnf install samba-common-tools
3. smbcontrol all debug 100

Actual results: ERROR: Could not determine network interfaces, you must use a interfaces config line


Expected results:
No error messages

Additional info:
# ausearch -m avc
time->Tue Nov 23 05:16:25 2021
type=AVC msg=audit(1637662585.880:491): avc:  denied  { create } for  pid=1665 comm="smbcontrol" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0

It works with setenforce 0 and on Fedora 34

--- Additional comment from Zdenek Pytela on 2021-11-23 13:23:42 UTC ---

The tool now uses netlink_route_socket and udp_socket which were not required previously:

----
type=PROCTITLE msg=audit(11/23/2021 08:19:05.790:553) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:19:05.790:553) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0x7fbb520a88b8 items=0 ppid=1060 pid=2372 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:19:05.790:553) : avc:  denied  { create } for  pid=2372 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0
----
type=PROCTITLE msg=audit(11/23/2021 08:21:37.079:561) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:21:37.079:561) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_DGRAM a2=ip a3=0x1d items=0 ppid=1060 pid=2387 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:21:37.079:561) : avc:  denied  { create } for  pid=2387 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1
f35# ausearch -i -a 562
----
type=PROCTITLE msg=audit(11/23/2021 08:21:37.080:562) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:21:37.080:562) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=0x8946 a2=0x7fff6d74e470 a3=0x1d items=0 ppid=1060 pid=2387 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:21:37.080:562) : avc:  denied  { ioctl } for  pid=2387 comm=smbcontrol path=socket:[27789] dev="sockfs" ino=27789 ioctlcmd=0x8946 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1

# sesearch -A -s smbcontrol_t -t smbcontrol_t -p create
allow smbcontrol_t smbcontrol_t:anon_inode { create getattr ioctl read write };
allow smbcontrol_t smbcontrol_t:fifo_file { create link rename setattr unlink }; [ fips_mode ]:True
allow smbcontrol_t smbcontrol_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow smbcontrol_t smbcontrol_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow smbcontrol_t smbcontrol_t:tcp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow smbcontrol_t smbcontrol_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow smbcontrol_t smbcontrol_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };

--- Additional comment from Zdenek Pytela on 2021-11-23 13:38:22 UTC ---

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/951

--- Additional comment from Alexander Bokovoy on 2021-11-26 20:20:05 UTC ---

FYI, I can see the same issue in RHEL 8.6.0 development so we'd need to get this fixed in RHEL as well.

--- Additional comment from Fedora Update System on 2021-11-29 16:03:32 UTC ---

FEDORA-2021-ea3fa543f0 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ea3fa543f0

--- Additional comment from Zdenek Pytela on 2021-11-29 16:52:36 UTC ---

(In reply to Alexander Bokovoy from comment #3)
> FYI, I can see the same issue in RHEL 8.6.0 development so we'd need to get
> this fixed in RHEL as well.

In that case please clone this bz for RHEL 8 and RHEL 9 if applies there, too.

--- Additional comment from Fedora Update System on 2021-11-30 02:19:09 UTC ---

FEDORA-2021-ea3fa543f0 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ea3fa543f0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ea3fa543f0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 2 Zdenek Pytela 2021-12-06 16:50:03 UTC

To backport:
commit 0269eebb529eef5288b4b6dd1c62604dbd230230
Author: Zdenek Pytela <zpytela>
Date:   Tue Nov 23 14:32:54 2021 +0100

    Allow smbcontrol use additional socket types

Comment 15 errata-xmlrpc 2022-05-10 15:15:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995

Note You need to log in before you can comment on or make changes to this bug.