2127854 – SELinux blocking samba-dcerpcd access to openssl.cnf, breaks Kerberos

Bug 2127854 - SELinux blocking samba-dcerpcd access to openssl.cnf, breaks Kerberos

Summary: SELinux blocking samba-dcerpcd access to openssl.cnf, breaks Kerberos

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-19 09:01 UTC by James
Modified:	2022-10-12 13:01 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-36.16-1.fc36
Clone Of:
Environment:
Last Closed:	2022-10-12 13:01:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1394	0	None	open	Allow winbind-rpcd read and write its key ring	2022-09-19 10:33:30 UTC

Description James 2022-09-19 09:01:36 UTC

samba-4.16.5-0.fc36.x86_64
selinux-policy-targeted-36.14-1.fc36.noarch

I'm using Samba with the standard FreeIPA configuration (so LDAP+Krb5 authentication). Since a recent relabel (or some other update) SELinux has been disrupting access to SMB shares - for some reason the Mac clients are worst affected. I see loads of SIGABRTs from samba-dcerpcd, along with things like:


type=AVC msg=audit(1663577560.480:3619): avc:  denied  { write } for  pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
type=AVC msg=audit(1663577560.480:3620): avc:  denied  { read } for  pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
type=AVC msg=audit(1663577560.484:3621): avc:  denied  { search } for  pid=109517 comm="samba-dcerpcd" name="krb5" dev="sda6" ino=157052 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1663577560.487:3622): avc:  denied  { read } for  pid=109517 comm="samba-dcerpcd" name="openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1663577560.487:3623): avc:  denied  { open } for  pid=109517 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1663577560.487:3624): avc:  denied  { getattr } for  pid=109517 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="sda6" ino=5008303 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1


in audit.log and the following in the system logs:


Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:29.459439,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:29.459564,  0, pid=109517] ../../source3/lib/smbldap.c:1054(smbldap_connect_system)
Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]:   failed to bind to server ldapi://%2fvar%2frun%2fslapd-CB-ETTLE.socket with dn="[Anonymous bind]" Error: Local error
Sep 19 09:52:29 skipper.cb.ettle samba-dcerpcd[109517]:           (unknown)
Sep 19 09:52:30 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:30.461066,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:30 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:31 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:31.462555,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:31 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:32 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:32.464279,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:32 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:33 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:33.466238,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:33 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:34 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:34.468348,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:34 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:35 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:35.470556,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:35 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:36 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:36.472795,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:36 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:37 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:37.475044,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:37 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:38 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:38.477276,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:38 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name
Sep 19 09:52:39 skipper.cb.ettle samba-dcerpcd[109517]: [2022/09/19 09:52:39.479533,  0, pid=109517] ipa_sam.c:4865(bind_callback_cleanup)
Sep 19 09:52:39 skipper.cb.ettle samba-dcerpcd[109517]:   kerberos error: code=-1750600185, message=Invalid UID in persistent keyring name


Works OK if enforcing is temporarily switched off. Booleans:

smbd_anon_write --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> on
samba_export_all_rw --> on
samba_load_libgfapi --> off
samba_portmapper --> on
samba_run_unconfined --> on
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off

Comment 1 Zdenek Pytela 2022-09-19 10:33:30 UTC

One new and two existing commits need to be backoprted:
commit 837f63743214363362334e910dcb06d35cd5cb99
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 27 17:22:40 2022 +0200

    Update samba-dcerpcd policy for kerberos usage 2

commit e6584a21427a408c09781f2c5cf978b0f18db1cc
Author: Zdenek Pytela <zpytela>
Date:   Fri Jun 17 18:34:28 2022 +0200

    Update samba-dcerpcd policy for kerberos usage

Comment 2 Zdenek Pytela 2022-09-19 15:46:04 UTC

The two existing commits turned out to have already been backported.

Comment 3 James 2022-09-19 18:53:01 UTC

For reference, just trying selinux-policy-36.15-1.fc36.noarch from Koji. See in audit.log:

type=AVC msg=audit(1663613461.216:3955): avc:  denied  { write } for  pid=113672 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=0
type=AVC msg=audit(1663613476.247:3975): avc:  denied  { read } for  pid=113672 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1

Comment 4 Fedora Update System 2022-09-30 08:50:01 UTC

FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

Comment 5 Fedora Update System 2022-10-01 02:13:05 UTC

FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2022-10-12 13:01:47 UTC

FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.