2122904 – SELinux is preventing samba-dcerpcd from 'read' accesses on the directory /home/xx/Documents/xx.

Bug 2122904 - SELinux is preventing samba-dcerpcd from 'read' accesses on the directory /home/xx/Documents/xx.

Summary: SELinux is preventing samba-dcerpcd from 'read' accesses on the directory /ho...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Nikola Knazekova
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:eb33d8f93a9f5c1ed8937914370...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-31 08:46 UTC by Enrique Meléndez
Modified:	2024-01-01 18:55 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-36.17-1.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-12-23 01:20:17 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1438	0	None	Merged	Add winbind-rpcd to samba_enable_home_dirs boolean	2022-10-19 17:35:08 UTC

Description Enrique Meléndez 2022-08-31 08:46:39 UTC

Description of problem:
Accessing the home directory from win11
SELinux is preventing samba-dcerpcd from 'read' accesses on the directory /home/xx/Documents/xx.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that samba-dcerpcd should be allowed read access on the xx directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd
# semodule -X 300 -i my-sambadcerpcd.pp

Additional Information:
Source Context                system_u:system_r:winbind_rpcd_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/enrique/Documents/Enrique [ dir ]
Source                        samba-dcerpcd
Source Path                   samba-dcerpcd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.14-1.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.14-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.18.19-200.fc36.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Aug 21 15:52:59 UTC 2022
                              x86_64 x86_64
Alert Count                   2
First Seen                    2022-08-31 10:35:14 CEST
Last Seen                     2022-08-31 10:35:14 CEST
Local ID                      8d46f333-f9ac-46f0-8546-5e2699c44534

Raw Audit Messages
type=AVC msg=audit(1661934914.346:360): avc:  denied  { read } for  pid=4587 comm="samba-dcerpcd" path="/home/xx/Documents/xx" dev="dm-2" ino=21627745 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0


Hash: samba-dcerpcd,winbind_rpcd_t,user_home_t,dir,read

Version-Release number of selected component:
selinux-policy-targeted-36.14-1.fc36.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.2
hashmarkername: setroubleshoot
kernel:         5.18.19-200.fc36.x86_64
type:           libreport

Comment 1 Nikola Knazekova 2022-09-09 10:38:49 UTC

Hi

is this expected from samba-dcerpcd to access home dirs ? 

Thanks

Nikola

Comment 2 Andreas Schneider 2022-09-09 11:32:43 UTC

Does the user have a share specified with that path in the smb.conf? I don't think that samba-dcerpcd would look thee on its own.

Comment 3 Nikola Knazekova 2022-09-29 11:17:01 UTC

Enrique, have you configured that path in the smb.conf?

Thanks,

Nikola

Comment 4 Enrique Meléndez 2022-10-05 19:30:18 UTC

(In reply to nknazeko from comment #3)
> Enrique, have you configured that path in the smb.conf?
> 
> Thanks,
> 
> Nikola

Yes, I have 

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

Comment 5 Nikola Knazekova 2022-10-10 15:44:07 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/1438

commit e999a494cb82e6b55f5743409eac3dba7b926b30 (HEAD -> fix-winbind, origin/fix-winbind)
Author: Nikola Knazekova <nknazeko>
Date:   Mon Oct 10 16:45:20 2022 +0200

    Add winbind-rpcd to samba_enable_home_dirs boolean
    
    Update samba_enable_home_dirs boolean to Allow winbind-rpcd to share users home directories.
    
    SELinux denials appeared, when users configured home directory share in the smb.conf.
    
    type=AVC msg=audit(1661934914.346:360): avc:  denied  { read } for  pid=4587 comm="samba-dcerpcd" path="/home/xx/Documents/xx" dev="dm-2" ino=21627745 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
    
    Resolves: bz#2122904

Comment 6 Fedora Update System 2022-12-07 09:20:56 UTC

FEDORA-2022-e7d50924ec has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e7d50924ec

Comment 7 Fedora Update System 2022-12-08 02:53:22 UTC

FEDORA-2022-e7d50924ec has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-e7d50924ec`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-e7d50924ec

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2022-12-23 01:20:17 UTC

FEDORA-2022-e7d50924ec has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Paul Howarth 2024-01-01 18:55:32 UTC

I think something similar will be needed for public content. I have "smbd_anon_write --> on" but got this when my wife's Windows 11 machine tried accessing shares with public_content_rw_t:

# avclist | audit2allow -R

require {
	type winbind_rpcd_t;
}

#============= winbind_rpcd_t ==============
miscfiles_manage_public_files(winbind_rpcd_t)

This is from AVCs like:

type=AVC msg=audit(1704134675.693:18923): avc:  denied  { read write } for  pid=3960899 comm="samba-dcerpcd" path=2F7372762F70726976646174612F4D6F6E65792F47544C2F54617865732042442F42696E676E696E6720546178657320323032322D323032332E6F6473 dev="dm-2" ino=3146018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file permissive=0

Note You need to log in before you can comment on or make changes to this bug.