2038963 – smbcontrol produces AVC: denied {read} dev="proc"

Bug 2038963 - smbcontrol produces AVC: denied {read} dev="proc"

Summary: smbcontrol produces AVC: denied {read} dev="proc"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2033873 2038157
TreeView+	depends on / blocked

Reported:	2022-01-10 16:21 UTC by Florence Blanc-Renaud
Modified:	2022-01-18 01:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-35.9-1.fc35
Clone Of:
Environment:
Last Closed:	2022-01-18 01:55:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Florence Blanc-Renaud 2022-01-10 16:21:52 UTC

Description of problem:
The command smbcontrol produces an AVC on Fedora 35.

Version-Release number of selected component (if applicable):
# cat /etc/fedora-release
Fedora release 35 (Thirty Five)

# rpm -q samba-common-tools selinux-policy
samba-common-tools-4.15.3-0.fc35.x86_64
selinux-policy-35.8-1.fc35.noarch

How reproducible:
Always

Steps to Reproduce:
1. setenforce 1
2. dnf install samba-common-tools
3. smbcontrol all debug 100

Actual results:
The smbcontrol command succeeds but produces an AVC

Expected results:
No AVC

Additional info:
# ausearch -m AVC
----
time->Mon Jan 10 11:02:26 2022
type=AVC msg=audit(1641830546.569:578): avc:  denied  { read } for  pid=53903 comm="smbcontrol" name="unix" dev="proc" ino=4026532059 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0

Comment 1 Florence Blanc-Renaud 2022-01-10 16:34:12 UTC

Same issue already reported against RHEL 8.6: https://bugzilla.redhat.com/show_bug.cgi?id=2033873
and against RHEL 9: https://bugzilla.redhat.com/show_bug.cgi?id=2038157

Comment 2 Fedora Update System 2022-01-13 17:25:45 UTC

FEDORA-2022-3ec8ad0da1 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-3ec8ad0da1

Comment 3 Fedora Update System 2022-01-14 01:55:52 UTC

FEDORA-2022-3ec8ad0da1 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-3ec8ad0da1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3ec8ad0da1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Florence Blanc-Renaud 2022-01-17 09:14:53 UTC

The update selinux-policy-35.9-1.fc35 properly fixes this issue, I added karma + comment to https://bodhi.fedoraproject.org/updates/FEDORA-2022-3ec8ad0da1

Comment 5 Fedora Update System 2022-01-18 01:55:36 UTC

FEDORA-2022-3ec8ad0da1 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.