Description of problem: selinux-policy-36.13-3.fc36.noarch denies { sendto } to command smbcontrol. The consequence is that running ipa trust-add leaves the user with a kerberos credential cache containing a ticket for cifs/<server> instead of the original one for admin. Version-Release number of selected component (if applicable): Fedora 36 freeipa-server-4.11.0.dev-0.fc36.x86_64 selinux-policy-36.13-3.fc36.noarch How reproducible: Systematic Steps to Reproduce: 1. install IPA server with ipa-server-install -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --domain-level=1 -U --setup-dns --auto-forwarders --auto-reverse 2. configure as trust domain controller with ipa-adtrust-install -U --enable-compat --netbios-name IPA -a Secret.123 --add-sids 3. obtain an admin ticket with kinit admin 4. add a trust with AD: ipa trust-add --type ad ad.test --admin Administrator --password 5. check the credential cache, it contains a ticket for cifs/master.ipa.test instead of admin This is reproducible in our nightly tests, see for instance PR #6394 [1] with the test test_sssd [2]. The AVCs can be seen in the audit.log [3]. [1] https://github.com/freeipa/freeipa/pull/6394 [2] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9e38f40a-13d2-11ed-8d3d-fa163e04db38 [3] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9e38f40a-13d2-11ed-8d3d-fa163e04db38/test_integration-test_sssd.py-TestSSSDWithAdTrust-install/master.ipa.test/var/log/audit/audit.log.gz
It seems dontaudit rules were in place, but full auditing was not enabled. This one looks like the only relevant denial: type=AVC msg=audit(08/04/2022 05:41:05.693:4233) : avc: denied { search } for pid=23438 comm=samba-dcerpcd name=pki dev="vda5" ino=5610 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 Could you try the following local module: # cat local_winbindrpcd_krb.cil (allow winbind_rpcd_t krb5_keytab_t (dir (getattr open search))) (allow winbind_rpcd_t krb5_keytab_t (dir (getattr open read ioctl lock))) # semodule -i local_winbindrpcd_krb.cil and run the test again?
I actually meant this particular one: ---- type=AVC msg=audit(08/04/2022 05:41:05.785:4234) : avc: denied { search } for pid=23438 comm=samba-dcerpcd name=krb5 dev="vda5" ino=12519 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 List of all denials run through audit2allow: #============= NetworkManager_dispatcher_console_t ============== allow NetworkManager_dispatcher_console_t default_context_t:dir search; #!!!! This avc is allowed in the current policy allow NetworkManager_dispatcher_console_t etc_t:dir remove_name; #!!!! This avc is allowed in the current policy allow NetworkManager_dispatcher_console_t etc_t:file { setattr unlink }; allow NetworkManager_dispatcher_console_t file_context_t:dir search; allow NetworkManager_dispatcher_console_t file_context_t:file { getattr open read }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow NetworkManager_dispatcher_console_t file_context_t:file map; allow NetworkManager_dispatcher_console_t security_t:dir read; allow NetworkManager_dispatcher_console_t security_t:file write; allow NetworkManager_dispatcher_console_t security_t:security compute_create; allow NetworkManager_dispatcher_console_t self:process setfscreate; #============= httpd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow httpd_t self:capability net_admin; #============= krb5kdc_t ============== #!!!! This avc has a dontaudit rule in the current policy allow krb5kdc_t selinux_config_t:file read; #============= oddjob_t ============== #!!!! This avc has a dontaudit rule in the current policy allow oddjob_t ipa_helper_t:process { rlimitinh siginh }; #============= smbd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh }; #============= winbind_rpcd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow winbind_rpcd_t cert_t:dir search; allow winbind_rpcd_t krb5_keytab_t:dir search;
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be
FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
I backported all relevant commits so that the policy is synchronized with rawhide: https://github.com/fedora-selinux/selinux-policy/pull/1409
FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Using : selinux-policy-36.16-1.fc36.noarch Tested with latest build its working as expected.
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.