Bug 2083511 - samba-dcerpcd and samba rpcd programs need selinux-policy permissions
Summary: samba-dcerpcd and samba rpcd programs need selinux-policy permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2083504 2083509
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-10 09:33 UTC by Pavel Filipensky
Modified: 2022-12-15 16:18 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-36.13-3.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2083509
Environment:
Last Closed: 2022-08-05 01:34:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1219 0 None Draft Add support for samba-dcerpcd 2022-06-01 19:34:11 UTC
Github fedora-selinux selinux-policy pull 1229 0 None Merged Update policy for samba-dcerpcd 2022-06-09 09:49:33 UTC

Description Pavel Filipensky 2022-05-10 09:33:20 UTC 
+++ This bug was initially created as a clone of Bug #2083509 +++

+++ This bug was initially created as a clone of Bug #2083504 +++

After Fedra f36 and rawhide rebase to samba 4.16.1 the samba test fails because of missing selinux policy permissions. Samba has added new programs (Release Notes https://www.samba.org/samba/history/samba-4.16.0.html).

Please give the needed permissions to these programs:

# ls -lZ /usr/libexec/samba/
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0      34 Apr 23  2021 cups_backend_smb -> /etc/alternatives/cups_backend_smb
-rwxr-xr-x  1 root root ?                          1428008 Feb 15 12:31 rpcd_classic
-rwxr-xr-x  1 root root ?                            45168 Feb 15 12:31 rpcd_epmapper
-rwxr-xr-x  1 root root ?                            78104 Feb 15 12:31 rpcd_fsrvp
-rwxr-xr-x  1 root root ?                           424552 Feb 15 12:31 rpcd_lsad
-rwxr-xr-x  1 root root ?                           128712 Feb 15 12:31 rpcd_mdssvc
-rwxr-xr-x  1 root root ?                            28768 Feb 15 12:31 rpcd_rpcecho
-rwxr-xr-x  1 root root ?                           512976 Feb 15 12:31 rpcd_spoolss
-rwxr-xr-x  1 root root ?                            90712 Feb 15 12:31 rpcd_winreg
-rwxr-xr-x  1 root root ?                           525464 Feb 15 12:31 samba-bgqd
-rwxr-xr-x  1 root root ?                           197960 Feb 15 12:31 samba-dcerpcd


The denied access is here:


avc:  denied  { write } for  pid=53381 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs"
avc:  denied  { setgid } for  pid=53485 comm="rpcd_lsad"


and here:


type=AVC msg=audit(1652102482.309:2296): avc:  denied  { setgid } for  pid=52973 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0            
type=AVC msg=audit(1652102482.934:2300): avc:  denied  { setgid } for  pid=52995 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1652102483.579:2304): avc:  denied  { setgid } for  pid=53015 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1652102484.263:2308): avc:  denied  { setgid } for  pid=53035 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1652102484.985:2312): avc:  denied  { setgid } for  pid=53056 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0


Full logs:


http://idm-artifacts.usersys.redhat.com/samba/Nightly/RHEL8.7/2022-04-17/tier-1/tier1_ws2019/7/tier1-restraint.01/recipes/1/tasks/10/results/1652101918/logs/avc.log
http://idm-artifacts.usersys.redhat.com/samba/Nightly/RHEL8.7/2022-04-17/tier-1/tier1_ws2019/7/tier1-restraint.01/recipes/1/tasks/10/results/1652101914/logs/avc.log

--- Additional comment from Pavel Filipensky on 2022-05-10 09:27:54 UTC ---

The denied access: denied  { write } for  pid=53381 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs"
needs to be fixed via granting access for "/run"  (for pid files) - see smb.conf(5):

   pid directory (G)

       This option specifies the directory where pid files will be placed.

       Default: pid directory = /run

       Example: pid directory = /var/run/
Comment 1 Milos Malik 2022-05-10 14:30:12 UTC 
Following SELinux denial appears multiple times in enforcing mode:
----
type=PROCTITLE msg=audit(05/10/2022 10:26:25.856:667) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=5 --worker-index=5 --debuglevel=0 
type=SYSCALL msg=audit(05/10/2022 10:26:25.856:667) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x0 a1=0x0 a2=0x7f0424afdd4b a3=0x0 items=0 ppid=1573 pid=1583 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_t:s0 key=(null) 
type=AVC msg=audit(05/10/2022 10:26:25.856:667) : avc:  denied  { setgid } for  pid=1583 comm=rpcd_lsad capability=setgid  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0 
----

# rpm -qa selinux\* \*samba\* | sort
python3-samba-4.16.1-4.fc37.x86_64
python3-samba-dc-4.16.1-4.fc37.x86_64
samba-4.16.1-4.fc37.x86_64
samba-client-libs-4.16.1-4.fc37.x86_64
samba-common-4.16.1-4.fc37.noarch
samba-common-libs-4.16.1-4.fc37.x86_64
samba-common-tools-4.16.1-4.fc37.x86_64
samba-dc-libs-4.16.1-4.fc37.x86_64
samba-libs-4.16.1-4.fc37.x86_64
samba-winbind-4.16.1-4.fc37.x86_64
samba-winbind-modules-4.16.1-4.fc37.x86_64
selinux-policy-36.7-1.fc37.noarch
selinux-policy-targeted-36.7-1.fc37.noarch
#
Comment 2 Milos Malik 2022-05-10 14:33:49 UTC 
Following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(05/10/2022 10:33:09.033:712) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=5 --debuglevel=0 
type=SYSCALL msg=audit(05/10/2022 10:33:09.033:712) : arch=x86_64 syscall=setgroups success=yes exit=0 a0=0x0 a1=0x0 a2=0x7f196d2fdd4b a3=0x0 items=0 ppid=1782 pid=1792 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_t:s0 key=(null) 
type=AVC msg=audit(05/10/2022 10:33:09.033:712) : avc:  denied  { setgid } for  pid=1792 comm=rpcd_lsad capability=setgid  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=1 
----
Comment 3 Milos Malik 2022-05-10 15:24:06 UTC 
# ls -lZ /usr/libexec/samba/
total 3408
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1428080 May  6 11:26 rpcd_classic
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0   45200 May  6 11:26 rpcd_epmapper
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0   78128 May  6 11:26 rpcd_fsrvp
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  424640 May  6 11:26 rpcd_lsad
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  128792 May  6 11:26 rpcd_mdssvc
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0   28800 May  6 11:26 rpcd_rpcecho
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  513048 May  6 11:26 rpcd_spoolss
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0   90744 May  6 11:26 rpcd_winreg
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  525528 May  6 11:26 samba-bgqd
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  198032 May  6 11:26 samba-dcerpcd
#

The following file appears after starting the winbind service:

# ls -lZ /run/samba-dcerpcd.pid 
-rw-r--r--. 1 root root system_u:object_r:winbind_var_run_t:s0 5 May 10 11:06 /run/samba-dcerpcd.pid
#
Comment 4 Zdenek Pytela 2022-06-01 19:34:12 UTC 
I've submitted a Fedora PR to address the issue. Before it is merged, scratchbuild can be used for testing:

https://github.com/fedora-selinux/selinux-policy/pull/1219
Checks -> Details -> Artifacts -> rpms
Comment 5 Zdenek Pytela 2022-06-09 09:49:34 UTC 
Updated with:
https://github.com/fedora-selinux/selinux-policy/pull/1229
Comment 6 Fedora Update System 2022-06-30 07:25:41 UTC 
FEDORA-2022-fd22b79a84 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84
Comment 7 Fedora Update System 2022-07-01 02:09:42 UTC 
FEDORA-2022-fd22b79a84 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fd22b79a84`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2022-07-16 01:12:41 UTC 
FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Dustin C. Hatch 2022-07-20 03:12:15 UTC 
After applying the update, the original AVC denials are gone, but there are still a couple more:

type=AVC msg=audit(1658286623.868:2435): avc:  denied  { write } for  pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1

type=AVC msg=audit(1658286623.868:2436): avc:  denied  { open } for  pid=6219 comm="samba-dcerpcd" path="/run/samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1

type=AVC msg=audit(1658286623.868:2437): avc:  denied  { lock } for  pid=6219 comm="samba-dcerpcd" path="/run/samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1
Comment 10 Fedora Update System 2022-08-04 02:41:43 UTC 
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2022-08-05 01:34:26 UTC 
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Zdenek Pytela 2022-08-05 15:33:03 UTC 
(In reply to Dustin C. Hatch from comment #9)
> After applying the update, the original AVC denials are gone, but there are
> still a couple more:
Thanks for reporting, but next time please create a new bz not to be overlooked.
https://github.com/fedora-selinux/selinux-policy/pull/1315
Note You need to log in before you can comment on or make changes to this bug.