+++ This bug was initially created as a clone of Bug #2083509 +++ +++ This bug was initially created as a clone of Bug #2083504 +++ After Fedra f36 and rawhide rebase to samba 4.16.1 the samba test fails because of missing selinux policy permissions. Samba has added new programs (Release Notes https://www.samba.org/samba/history/samba-4.16.0.html). Please give the needed permissions to these programs: # ls -lZ /usr/libexec/samba/ lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 34 Apr 23 2021 cups_backend_smb -> /etc/alternatives/cups_backend_smb -rwxr-xr-x 1 root root ? 1428008 Feb 15 12:31 rpcd_classic -rwxr-xr-x 1 root root ? 45168 Feb 15 12:31 rpcd_epmapper -rwxr-xr-x 1 root root ? 78104 Feb 15 12:31 rpcd_fsrvp -rwxr-xr-x 1 root root ? 424552 Feb 15 12:31 rpcd_lsad -rwxr-xr-x 1 root root ? 128712 Feb 15 12:31 rpcd_mdssvc -rwxr-xr-x 1 root root ? 28768 Feb 15 12:31 rpcd_rpcecho -rwxr-xr-x 1 root root ? 512976 Feb 15 12:31 rpcd_spoolss -rwxr-xr-x 1 root root ? 90712 Feb 15 12:31 rpcd_winreg -rwxr-xr-x 1 root root ? 525464 Feb 15 12:31 samba-bgqd -rwxr-xr-x 1 root root ? 197960 Feb 15 12:31 samba-dcerpcd The denied access is here: avc: denied { write } for pid=53381 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" avc: denied { setgid } for pid=53485 comm="rpcd_lsad" and here: type=AVC msg=audit(1652102482.309:2296): avc: denied { setgid } for pid=52973 comm="rpcd_lsad" capability=6 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1652102482.934:2300): avc: denied { setgid } for pid=52995 comm="rpcd_lsad" capability=6 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1652102483.579:2304): avc: denied { setgid } for pid=53015 comm="rpcd_lsad" capability=6 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1652102484.263:2308): avc: denied { setgid } for pid=53035 comm="rpcd_lsad" capability=6 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1652102484.985:2312): avc: denied { setgid } for pid=53056 comm="rpcd_lsad" capability=6 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0 Full logs: http://idm-artifacts.usersys.redhat.com/samba/Nightly/RHEL8.7/2022-04-17/tier-1/tier1_ws2019/7/tier1-restraint.01/recipes/1/tasks/10/results/1652101918/logs/avc.log http://idm-artifacts.usersys.redhat.com/samba/Nightly/RHEL8.7/2022-04-17/tier-1/tier1_ws2019/7/tier1-restraint.01/recipes/1/tasks/10/results/1652101914/logs/avc.log --- Additional comment from Pavel Filipensky on 2022-05-10 09:27:54 UTC --- The denied access: denied { write } for pid=53381 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" needs to be fixed via granting access for "/run" (for pid files) - see smb.conf(5): pid directory (G) This option specifies the directory where pid files will be placed. Default: pid directory = /run Example: pid directory = /var/run/
Following SELinux denial appears multiple times in enforcing mode: ---- type=PROCTITLE msg=audit(05/10/2022 10:26:25.856:667) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=5 --worker-index=5 --debuglevel=0 type=SYSCALL msg=audit(05/10/2022 10:26:25.856:667) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x0 a1=0x0 a2=0x7f0424afdd4b a3=0x0 items=0 ppid=1573 pid=1583 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_t:s0 key=(null) type=AVC msg=audit(05/10/2022 10:26:25.856:667) : avc: denied { setgid } for pid=1583 comm=rpcd_lsad capability=setgid scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0 ---- # rpm -qa selinux\* \*samba\* | sort python3-samba-4.16.1-4.fc37.x86_64 python3-samba-dc-4.16.1-4.fc37.x86_64 samba-4.16.1-4.fc37.x86_64 samba-client-libs-4.16.1-4.fc37.x86_64 samba-common-4.16.1-4.fc37.noarch samba-common-libs-4.16.1-4.fc37.x86_64 samba-common-tools-4.16.1-4.fc37.x86_64 samba-dc-libs-4.16.1-4.fc37.x86_64 samba-libs-4.16.1-4.fc37.x86_64 samba-winbind-4.16.1-4.fc37.x86_64 samba-winbind-modules-4.16.1-4.fc37.x86_64 selinux-policy-36.7-1.fc37.noarch selinux-policy-targeted-36.7-1.fc37.noarch #
Following SELinux denial appears in permissive mode: ---- type=PROCTITLE msg=audit(05/10/2022 10:33:09.033:712) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=5 --debuglevel=0 type=SYSCALL msg=audit(05/10/2022 10:33:09.033:712) : arch=x86_64 syscall=setgroups success=yes exit=0 a0=0x0 a1=0x0 a2=0x7f196d2fdd4b a3=0x0 items=0 ppid=1782 pid=1792 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_t:s0 key=(null) type=AVC msg=audit(05/10/2022 10:33:09.033:712) : avc: denied { setgid } for pid=1792 comm=rpcd_lsad capability=setgid scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=1 ----
# ls -lZ /usr/libexec/samba/ total 3408 -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1428080 May 6 11:26 rpcd_classic -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 45200 May 6 11:26 rpcd_epmapper -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 78128 May 6 11:26 rpcd_fsrvp -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 424640 May 6 11:26 rpcd_lsad -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 128792 May 6 11:26 rpcd_mdssvc -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 28800 May 6 11:26 rpcd_rpcecho -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 513048 May 6 11:26 rpcd_spoolss -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 90744 May 6 11:26 rpcd_winreg -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 525528 May 6 11:26 samba-bgqd -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 198032 May 6 11:26 samba-dcerpcd # The following file appears after starting the winbind service: # ls -lZ /run/samba-dcerpcd.pid -rw-r--r--. 1 root root system_u:object_r:winbind_var_run_t:s0 5 May 10 11:06 /run/samba-dcerpcd.pid #
I've submitted a Fedora PR to address the issue. Before it is merged, scratchbuild can be used for testing: https://github.com/fedora-selinux/selinux-policy/pull/1219 Checks -> Details -> Artifacts -> rpms
Updated with: https://github.com/fedora-selinux/selinux-policy/pull/1229
FEDORA-2022-fd22b79a84 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84
FEDORA-2022-fd22b79a84 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fd22b79a84` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
After applying the update, the original AVC denials are gone, but there are still a couple more: type=AVC msg=audit(1658286623.868:2435): avc: denied { write } for pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1658286623.868:2436): avc: denied { open } for pid=6219 comm="samba-dcerpcd" path="/run/samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1658286623.868:2437): avc: denied { lock } for pid=6219 comm="samba-dcerpcd" path="/run/samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to Dustin C. Hatch from comment #9) > After applying the update, the original AVC denials are gone, but there are > still a couple more: Thanks for reporting, but next time please create a new bz not to be overlooked. https://github.com/fedora-selinux/selinux-policy/pull/1315