I'm using selinux-policy 36.10-1.fc36 here (which includes some NetworkManager fixes), but /usr/lib/NetworkManager/dispatcher.d/30-winbind still fails to work correctly: * My /etc/samba/smb.conf has "winbind use default domain = yes", but the call to testparam just returns an empty string instead of "Yes" and causes the script to exit early. * If I comment out the testparam block, I get audit errors: audit[9457]: AVC avc: denied { execute } for pid=9457 comm="30-winbind" name="smbcontrol" dev="dm-1" ino=1466353 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0 audit[9457]: AVC avc: denied { getattr } for pid=9457 comm="30-winbind" path="/usr/bin/smbcontrol" dev="dm-1" ino=1466353 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0 audit[9457]: AVC avc: denied { getattr } for pid=9457 comm="30-winbind" path="/usr/bin/smbcontrol" dev="dm-1" ino=1466353 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0
Thanks for the details, I'll try to address it soon.
Our business VPN setup also has a need to run /usr/bin/kinit, /usr/bin/wbinfo, /usr/bin/nsupdate from NetworkManager dispatcher scripts to register a newly started VPN tunnel with the DNS of the remote organization. Those binaries also get hit by the newly restrictive SELinux environment: May 24 17:04:52 ibganev-desk.amr.corp.intel.com audit[82523]: AVC avc: denied { getattr } for pid=82523 comm="kinit" path="/etc/krb5.conf" dev="dm-0" ino=12452229 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0 May 24 17:04:52 ibganev-desk.amr.corp.intel.com audit[82506]: AVC avc: denied { getattr } for pid=82506 comm="sh" path="/usr/bin/smbcontrol" dev="dm-0" ino=5651000 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0 May 24 17:04:53 ibganev-desk.amr.corp.intel.com audit[82749]: AVC avc: denied { getattr } for pid=82749 comm="wbinfo" path="/run/samba/winbindd/pipe" dev="tmpfs" ino=1995 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file permissive=0 May 24 17:57:29 ibganev-desk.amr.corp.intel.com audit[89569]: AVC avc: denied { read } for pid=89569 comm="kinit" name="krb5.conf" dev="dm-0" ino=12452229 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0 May 24 17:57:29 ibganev-desk.amr.corp.intel.com audit[89556]: AVC avc: denied { execute } for pid=89556 comm="sh" name="smbcontrol" dev="dm-0" ino=5651000 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0 May 24 17:57:29 ibganev-desk.amr.corp.intel.com audit[89556]: AVC avc: denied { read } for pid=89556 comm="sh" name="smbcontrol" dev="dm-0" ino=5651000 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0 May 24 17:57:30 ibganev-desk.amr.corp.intel.com audit[89827]: AVC avc: denied { write } for pid=89827 comm="wbinfo" name="pipe" dev="tmpfs" ino=1995 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file permissive=0 May 31 08:29:50 ibganev-desk.amr.corp.intel.com audit[3812]: AVC avc: denied { open } for pid=3812 comm="kinit" path="/etc/krb5.conf" dev="dm-0" ino=12452229 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=fi le permissive=0 May 31 08:29:50 ibganev-desk.amr.corp.intel.com audit[3819]: AVC avc: denied { open } for pid=3819 comm="sh" path="/usr/bin/smbcontrol" dev="dm-0" ino=5651000 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tc lass=file permissive=0 May 31 08:29:51 ibganev-desk.amr.corp.intel.com audit[4038]: AVC avc: denied { connectto } for pid=4038 comm="wbinfo" path="/run/samba/winbindd/pipe" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=unix_stream_
FEDORA-2022-fd22b79a84 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84
FEDORA-2022-fd22b79a84 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fd22b79a84` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Trying to bring the discussion in https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84 back here. What I said there was > This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string. Zdenek said > @rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see. I did mention in the bug report here that "My /etc/samba/smb.conf has "winbind use default domain = yes", but the call to testparam just returns an empty string instead of "Yes" and causes the script to exit early". This is still the case, but there are no AVC denials or anything I can see with journalctl, the program just seems to output nothing. Is there a way to debug this, or temporarily make 30-winbind output something somewhere? Calling logger triggers an AVC denial, and using echo just outputs nothing to the logs.
(In reply to Raphael Kubo da Costa from comment #5) > Is there a way to debug this, or temporarily make 30-winbind output > something somewhere? Calling logger triggers an AVC denial, and using echo > just outputs nothing to the logs. If the issue does not appear in the system permissive mode, it can be an effect of dontaudit rules which can be removed temporarily: semodule -DB <reproduce> semodule -B ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent Bash debugging can be turned on e. g. with set +x at the script beginning.
Thanks. With `semodule -DB`, I still wasn't able to log anything with echo or logger, and `set +x` didn't have any effect, but I could see a lot of AVCs being logged for all NetworkManager dispatcher scripts. Relevant excerpt: jul 12 15:01:02 SOME-HOST nm-dispatcher[140489]: req:4 'up' [vpn0], "/usr/lib/NetworkManager/dispatcher.d/30-winbind": run script jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc: denied { noatsecure } for pid=140518 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=process permissive=0 jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc: denied { read write } for pid=140518 comm="30-winbind" path="socket:[1140270]" dev="sockfs" ino=1140270 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc: denied { read write } for pid=140518 comm="30-winbind" path="socket:[1140270]" dev="sockfs" ino=1140270 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc: denied { rlimitinh } for pid=140518 comm="30-winbind" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=process permissive=0 jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc: denied { siginh } for pid=140518 comm="30-winbind" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=process permissive=0 jul 12 15:01:02 SOME-HOST audit[140519]: AVC avc: denied { net_admin } for pid=140519 comm="systemctl" capability=12 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=capability permissive=0 jul 12 15:01:02 SOME-HOST audit[140519]: AVC avc: denied { net_admin } for pid=140519 comm="systemctl" capability=12 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=capability permissive=0 jul 12 15:01:02 SOME-HOST audit[140521]: AVC avc: denied { search } for pid=140521 comm="testparm" name="samba" dev="dm-1" ino=1704052 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir permissive=0 jul 12 15:01:02 SOME-HOST audit[140521]: AVC avc: denied { search } for pid=140521 comm="testparm" name="samba" dev="dm-1" ino=1704052 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir permissive=0 jul 12 15:01:02 SOME-HOST audit[140522]: AVC avc: denied { net_admin } for pid=140522 comm="systemctl" capability=12 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=capability permissive=0 jul 12 15:01:02 SOME-HOST audit[140522]: AVC avc: denied { net_admin } for pid=140522 comm="systemctl" capability=12 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=capability permissive=0 jul 12 15:01:02 SOME-HOST audit[140523]: AVC avc: denied { noatsecure } for pid=140523 comm="30-winbind" scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:smbcontrol_t:s0 tclass=process permissive=0 jul 12 15:01:02 SOME-HOST audit[140523]: AVC avc: denied { rlimitinh } for pid=140523 comm="smbcontrol" scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:smbcontrol_t:s0 tclass=process permissive=0 jul 12 15:01:02 SOME-HOST audit[140523]: AVC avc: denied { siginh } for pid=140523 comm="smbcontrol" scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:smbcontrol_t:s0 tclass=process permissive=0 jul 12 15:01:03 SOME-HOST nm-dispatcher[140489]: req:4 'up' [vpn0], "/usr/lib/NetworkManager/dispatcher.d/30-winbind": complete
FEDORA-2022-320775eb9a has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a
FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.