Description of problem: selinux-policy-36.11-1.fc36.noarch denies { sendto } to command smbcontrol. The consequence is that running ipa trust-add leaves the user with a kerberos credential cache containing a ticket for cifs/<server> instead of the original one for admin. Version-Release number of selected component (if applicable): Fedora 36 freeipa-server-4.11.0.dev-0.fc36.x86_64 selinux-policy-36.11-1.fc36.noarch How reproducible: Systematic Steps to Reproduce: 1. install IPA server with ipa-server-install -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --domain-level=1 -U --setup-dns --auto-forwarders --auto-reverse 2. configure as trust domain controller with ipa-adtrust-install -U --enable-compat --netbios-name IPA -a Secret.123 --add-sids 3. obtain an admin ticket with kinit admin 4. add a trust with AD: ipa trust-add --type ad ad.test --admin Administrator --password 5. check the credential cache, it contains a ticket for cifs/master.ipa.test instead of admin This is reproducible in our nightly tests, see for instance PR #1841 [1] with the test test_sssd [2]. The AVCs can be seen in the audit.log [3]. type=AVC msg=audit(1657191966.421:4036): avc: denied { sendto } for pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22803" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1657191966.421:4037): avc: denied { sendto } for pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22803" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1657191966.421:4038): avc: denied { sendto } for pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22814" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1657191966.421:4039): avc: denied { sendto } for pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22814" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1657191966.422:4040): avc: denied { sendto } for pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22818" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1657191966.422:4041): avc: denied { sendto } for pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22818" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0 [1] https://github.com/freeipa-pr-ci2/freeipa/pull/1841 [2] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/ffd8bd2c-fddd-11ec-8b8d-fa163e2eae90/ [3] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/ffd8bd2c-fddd-11ec-8b8d-fa163e2eae90/test_integration-test_sssd.py-TestSSSDWithAdTrust-install/master.ipa.test/var/log/audit/audit.log.gz Note: selinux-policy-36.10-1.fc36.noarch does not show the issue, the problem was introduced with the update to selinux-policy-36.11-1.fc36 currently in updates-testing.
Unfortunately, I was unable to reproduce the problem reliably. Could you try with the following local module? # cat local_smbcontrol.cil (allow smbcontrol_t winbind_rpcd_t (unix_dgram_socket (sendto))) # semodule -i local_smbcontrol.cil <retest> # ausearch -i -m avc,user_avc -ts recent
Hi Zdenek, I launched the same test with the local module. This time, there was no reported AVC but the issue persists (the credential cache contains a ticket for the cifs/... principal). The audit.log is available here [1] and the job report here [2]: DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd109:transport.py:513 RUN ['ausearch', '-i', '-m', 'avc,user_avc', '-ts', 'recent'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd109:transport.py:557 <no matches> DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd109:transport.py:217 Exit code: 1 [1] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d13ac658-029d-11ed-91ab-fa163ea73ebe/test_integration-test_sssd.py-TestSSSDWithAdTrust-install/master.ipa.test/var/log/audit/audit.log.gz [2] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d13ac658-029d-11ed-91ab-fa163ea73ebe/report.html
In order to reproduce the issue you need to restart smb before calling kinit admin; ipa trust-add ... The AVC are hidden and only visible after disabling dontaudit with "semodule -DB": without the module from comment #c1: ---- time->Wed Jul 13 14:36:01 2022 type=AVC msg=audit(1657722961.147:4394): avc: denied { net_admin } for pid=18529 comm="httpd" capability=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 ---- time->Wed Jul 13 14:36:02 2022 type=AVC msg=audit(1657722962.576:4395): avc: denied { noatsecure } for pid=21267 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:36:02 2022 type=AVC msg=audit(1657722962.576:4396): avc: denied { rlimitinh } for pid=21267 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:36:02 2022 type=AVC msg=audit(1657722962.576:4397): avc: denied { siginh } for pid=21267 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:36:03 2022 type=AVC msg=audit(1657722963.684:4398): avc: denied { rlimitinh } for pid=21287 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:36:03 2022 type=AVC msg=audit(1657722963.684:4399): avc: denied { siginh } for pid=21287 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:36:11 2022 type=AVC msg=audit(1657722971.156:4400): avc: denied { net_admin } for pid=18529 comm="httpd" capability=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 ---- time->Wed Jul 13 14:36:21 2022 type=AVC msg=audit(1657722981.166:4401): avc: denied { net_admin } for pid=18529 comm="httpd" capability=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 With the module from comment #c1: Same output: time->Wed Jul 13 14:56:42 2022 type=AVC msg=audit(1657724202.495:4529): avc: denied { net_admin } for pid=18529 comm="httpd" capability=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 ---- time->Wed Jul 13 14:56:44 2022 type=AVC msg=audit(1657724204.868:4530): avc: denied { noatsecure } for pid=21362 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:56:44 2022 type=AVC msg=audit(1657724204.868:4531): avc: denied { rlimitinh } for pid=21362 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:56:44 2022 type=AVC msg=audit(1657724204.868:4532): avc: denied { siginh } for pid=21362 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:56:46 2022 type=AVC msg=audit(1657724206.221:4533): avc: denied { rlimitinh } for pid=21382 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:56:46 2022 type=AVC msg=audit(1657724206.221:4534): avc: denied { siginh } for pid=21382 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=0 ---- time->Wed Jul 13 14:56:52 2022 type=AVC msg=audit(1657724212.506:4535): avc: denied { net_admin } for pid=18529 comm="httpd" capability=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 ---- time->Wed Jul 13 14:57:02 2022 type=AVC msg=audit(1657724222.517:4536): avc: denied { net_admin } for pid=18529 comm="httpd" capability=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
Thank you, I can reproduce it now. With the following module: (allow smbcontrol_t winbind_rpcd_t (unix_dgram_socket (sendto))) (allow smbd_t winbind_rpcd_t (process (noatsecure))) i can see f36# klist -l Principal name Cache name -------------- ---------- admin KCM:0 but the ipa command keeps complaining so I am not sure if it can be considered working: f36# ipa trust-add --type ad ad.test --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name
I am relaunching a test in our CI with the additional module, I'll keep you posted.
Hi Zdenek, I added the module from comment #c4 and the test is now passing: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9ea02612-02d8-11ed-af51-fa163eda45c5/report.html You can go ahead and add the new module in selinux-policy.
FEDORA-2022-320775eb9a has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a
FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.