samba-4.16.5-0.fc36.x86_64 selinux-policy-targeted-36.14-1.fc36.noarch I'm using Samba with the standard FreeIPA configuration (so LDAP+Krb5 authentication). Since a recent relabel (or some other update) SELinux has been disrupting access to SMB shares - for some reason the Mac clients are worst affected. I see loads of SIGABRTs from samba-dcerpcd, along with things like: type=AVC msg=audit(1663577560.480:3619): avc: denied { write } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1 type=AVC msg=audit(1663577560.480:3620): avc: denied { read } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1 type=AVC msg=audit(1663577560.484:3621): avc: denied { search } for pid=109517 comm="samba-dcerpcd" name="krb5" dev="sda6" ino=157052 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1663577560.487:3622): avc: denied { read } for pid=109517 comm="samba-dcerpcd" name="openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1663577560.487:3623): avc: denied { open } for pid=109517 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1663577560.487:3624): avc: denied { getattr } for pid=109517 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 in audit.log and the following in the system logs: Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:29.459439, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:29.459564, 0, pid=109517] ../../source3/lib/smbldap.c:1054(smbldap_connect_system) Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-CB-ETTLE.socket with dn="[Anonymous bind]" Error: Local error Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: (unknown) Sep 19 09:52:30 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:30.461066, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:30 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:31 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:31.462555, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:31 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:32 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:32.464279, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:32 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:33 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:33.466238, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:33 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:34 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:34.468348, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:34 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:35 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:35.470556, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:35 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:36 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:36.472795, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:36 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:37 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:37.475044, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:37 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:38 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:38.477276, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:38 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Sep 19 09:52:39 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:39.479533, 0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup) Sep 19 09:52:39 skipper.cb.ettle samba-dcerpcd[109517]: kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name Works OK if enforcing is temporarily switched off. Booleans: smbd_anon_write --> off samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> on samba_export_all_ro --> on samba_export_all_rw --> on samba_load_libgfapi --> off samba_portmapper --> on samba_run_unconfined --> on samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_samba --> off tmpreaper_use_samba --> off use_samba_home_dirs --> off virt_use_samba --> off
One new and two existing commits need to be backoprted: commit 837f63743214363362334e910dcb06d35cd5cb99 Author: Zdenek Pytela <zpytela> Date: Mon Jun 27 17:22:40 2022 +0200 Update samba-dcerpcd policy for kerberos usage 2 commit e6584a21427a408c09781f2c5cf978b0f18db1cc Author: Zdenek Pytela <zpytela> Date: Fri Jun 17 18:34:28 2022 +0200 Update samba-dcerpcd policy for kerberos usage
The two existing commits turned out to have already been backported.
For reference, just trying selinux-policy-36.15-1.fc36.noarch from Koji. See in audit.log: type=AVC msg=audit(1663613461.216:3955): avc: denied { write } for pid=113672 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=0 type=AVC msg=audit(1663613476.247:3975): avc: denied { read } for pid=113672 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.