2143624 – SELinux blocks samba-dcerpcd component to direct access to the TDBs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2143624 - SELinux blocks samba-dcerpcd component to direct access to the TDBs

Summary: SELinux blocks samba-dcerpcd component to direct access to the TDBs

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	CentOS Stream
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-17 12:02 UTC by Leszek Szczepanowski
Modified:	2024-04-06 04:25 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-01 19:29:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-139792	0	None	None	None	2022-11-17 12:08:57 UTC

Description Leszek Szczepanowski 2022-11-17 12:02:13 UTC

Description of problem:

When SELinux is in Enforcing mode, it prevents samba-dcerpcd from accesing /var/lib/ctdb/ and subfolders, despite the right fcontext applied to those folders:

[root@fs01 symptoms]# ls -lZ /var/lib/ctdb/
total 12
drwxr-xr-x. 2 root root system_u:object_r:ctdbd_var_lib_t:s0 4096 Nov 15 12:25 persistent
drwxr-xr-x. 3 root root system_u:object_r:ctdbd_var_lib_t:s0   67 Nov 15 17:37 scripts
drwxr-xr-x. 2 root root system_u:object_r:ctdbd_var_lib_t:s0 4096 Nov 15 15:18 state
drwxr-xr-x. 2 root root system_u:object_r:ctdbd_var_lib_t:s0 4096 Nov 11 17:59 volatile


Version-Release number of selected component (if applicable):

[root@fs01 symptoms]# uname -a
Linux xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
[root@fs01 symptoms]# cat /etc/redhat-release
CentOS Stream release 9

samba-common-4.16.4-101.el9.noarch
samba-client-libs-4.16.4-101.el9.x86_64
samba-common-libs-4.16.4-101.el9.x86_64
samba-libs-4.16.4-101.el9.x86_64
samba-common-tools-4.16.4-101.el9.x86_64
samba-4.16.4-101.el9.x86_64
samba-client-4.16.4-101.el9.x86_64
[root@fs01 symptoms]# rpm -qa | grep selinux-policy
selinux-policy-34.1.46-1.el9.noarch
selinux-policy-targeted-34.1.46-1.el9.noarch
selinux-policy-doc-34.1.46-1.el9.noarch

How reproducible:

Set enforcing to 1, and try to browse the shares on the Samba IP, this will be the result in /var/log/samba/log.samba-dcerpcd:

[2022/11/15 17:33:13,  0] ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
  Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission denied
[2022/11/15 17:33:13,  0] ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
  db_open: failed to attach to ctdb registry.tdb
[2022/11/15 17:33:13,  0] ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
  Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission denied
[2022/11/15 17:33:13,  0] ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
  db_open: failed to attach to ctdb registry.tdb
[2022/11/15 17:33:13,  1] ../../source3/registry/reg_backend_db.c:759(regdb_init)
  regdb_init: Failed to open registry /var/lib/samba/registry.tdb (Permission denied)
[2022/11/15 17:33:13,  0] ../../source3/registry/reg_init_basic.c:35(registry_init_common)
  Failed to initialize the registry: WERR_ACCESS_DENIED
[2022/11/15 17:33:13,  1] ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
  error initializing registry configuration: SBC_ERR_BADFILE
Can't load /etc/samba/smb.conf - run testparm to debug it
samba-dcerpcd - Failed to load config file!

Steps to Reproduce:
1. Enforcing mode of SELinux
2. Samba in Clustering mode with registry
3. Trying of browsing shares is failing (despite the share has a browseable flag on)

Actual results:

Browsing shares not possible with SELinux set to Enforcing, despite all 'denied' AVCs were allowed by creating a module.

Expected results:

Browsing possible with SELinux set to Enforcing.

Additional info:

Some kind of debugging:

[root@fs01 symptoms]# getenforce
Enforcing
[root@fs01 symptoms]# semodule -B
[root@fs01 symptoms]# setenforce 0
[root@fs01 symptoms]# ausearch -c samba-dcerpcd --raw| audit2allow -M sambalocal

module sambalocal 1.0;

require {
        type fusefs_t;
        type ctdbd_t;
        type smbd_t;
        type ctdbd_var_run_t;
        type winbind_rpcd_t;
        type ctdbd_var_lib_t;
        class sock_file { getattr write };
        class unix_stream_socket { connectto read write };
        class file { getattr lock map open read setattr write };
        class dir { ioctl read search };
        class process { noatsecure rlimitinh siginh };
}

#============= smbd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };

#============= winbind_rpcd_t ==============

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_t:unix_stream_socket connectto;

#!!!! This avc has a dontaudit rule in the current policy
allow winbind_rpcd_t ctdbd_var_lib_t:dir search;

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_var_lib_t:file { getattr lock map open read setattr write };

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_var_run_t:sock_file { getattr write };

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t fusefs_t:dir { ioctl read };

So even if this module is inserted, access is denied.

Some more logs with dontaudit setting (semodule -DB):

----
time->Wed Nov 16 19:38:54 2022
type=PROCTITLE msg=audit(1668623934.082:679): proctitle=6970006C696E6B0073686F7700656E703373306630
type=PATH msg=audit(1668623934.082:679): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=184550268 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1668623934.082:679): cwd="/"
type=EXECVE msg=audit(1668623934.082:679): argc=4 a0="ip" a1="link" a2="show" a3="enp3s0f0"
type=SYSCALL msg=audit(1668623934.082:679): arch=c000003e syscall=59 success=yes exit=0 a0=55a1b2de6c70 a1=55a1b2e4e900 a2=55a1b2e4dd90 a3=8 items=1 ppid=514421 pid=514422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1668623934.082:679): avc:  denied  { siginh } for  pid=514422 comm="ip" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=1
type=AVC msg=audit(1668623934.082:679): avc:  denied  { rlimitinh } for  pid=514422 comm="ip" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=1
type=AVC msg=audit(1668623934.082:679): avc:  denied  { read write } for  pid=514422 comm="ip" path="socket:[36143]" dev="sockfs" ino=36143 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1668623934.082:679): avc:  denied  { noatsecure } for  pid=514422 comm="10.interface.sc" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=1
----
time->Wed Nov 16 19:38:54 2022
type=PROCTITLE msg=audit(1668623934.783:682): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F73686172652F736574726F75626C6573686F6F742F536574726F75626C6573686F6F7450726976696C656765642E7079
type=EXECVE msg=audit(1668623934.783:682): argc=2 a0="/usr/bin/python3" a1="/usr/share/setroubleshoot/SetroubleshootPrivileged.py"
type=SYSCALL msg=audit(1668623934.783:682): arch=c000003e syscall=59 success=yes exit=0 a0=55d405041d70 a1=55d40542c830 a2=55d4053cffe0 a3=55d40543abc0 items=0 ppid=1 pid=514463 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="SetroubleshootP" exe="/usr/bin/python3.9" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1668623934.783:682): avc:  denied  { siginh } for  pid=514463 comm="SetroubleshootP" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
----
time->Wed Nov 16 19:39:02 2022
type=PROCTITLE msg=audit(1668623942.662:683): proctitle=2F7573722F6C6962657865632F73616D62612F73616D62612D64636572706364002D2D6C6962657865632D7270636473002D2D72656164792D7369676E616C2D66643D3334002D2D6E702D68656C706572002D2D64656275676C6576656C3D31
type=PATH msg=audit(1668623942.662:683): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=184550268 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1668623942.662:683): cwd="/tmp"
type=EXECVE msg=audit(1668623942.662:683): argc=5 a0="/usr/libexec/samba/samba-dcerpcd" a1="--libexec-rpcds" a2="--ready-signal-fd=34" a3="--np-helper" a4="--debuglevel=1"
type=SYSCALL msg=audit(1668623942.662:683): arch=c000003e syscall=59 success=yes exit=0 a0=5584e36ffd50 a1=5584e3733380 a2=5584e3710940 a3=8 items=1 ppid=365896 pid=514482 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(1668623942.662:683): avc:  denied  { siginh } for  pid=514482 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1668623942.662:683): avc:  denied  { rlimitinh } for  pid=514482 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1668623942.662:683): avc:  denied  { read write } for  pid=514482 comm="samba-dcerpcd" path="socket:[1438729]" dev="sockfs" ino=1438729 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1668623942.662:683): avc:  denied  { noatsecure } for  pid=514482 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=1
----
time->Wed Nov 16 19:39:02 2022
type=PROCTITLE msg=audit(1668623942.698:684): proctitle=2F7573722F6C6962657865632F73616D62612F73616D62612D64636572706364002D2D6C6962657865632D7270636473002D2D72656164792D7369676E616C2D66643D3334002D2D6E702D68656C706572002D2D64656275676C6576656C3D31
type=PATH msg=audit(1668623942.698:684): item=0 name="/var/lib/ctdb/persistent/registry.tdb.0" inode=251680171 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ctdbd_var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1668623942.698:684): cwd="/tmp"
type=SYSCALL msg=audit(1668623942.698:684): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=55c20a4aa540 a2=80002 a3=0 items=1 ppid=365896 pid=514482 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(1668623942.698:684): avc:  denied  { search } for  pid=514482 comm="samba-dcerpcd" name="ctdb" dev="dm-0" ino=234887861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=dir permissive=1
----
time->Wed Nov 16 19:39:09 2022
type=PROCTITLE msg=audit(1668623949.266:685): proctitle=6970006C696E6B0073686F7700656E703373306630
type=EXECVE msg=audit(1668623949.266:685): argc=4 a0="ip" a1="link" a2="show" a3="enp3s0f0"
type=SYSCALL msg=audit(1668623949.266:685): arch=c000003e syscall=59 success=yes exit=0 a0=558930d7ec70 a1=558930de6900 a2=558930de5d90 a3=8 items=0 ppid=514553 pid=514554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1668623949.266:685): avc:  denied  { read write } for  pid=514554 comm="ip" path="socket:[36143]" dev="sockfs" ino=36143 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1

Comment 1 Leszek Szczepanowski 2022-11-17 12:04:15 UTC

The issue is only with the browsing shares. Accessing the shares themselves, and read/write to them is OK.

Comment 2 Leszek Szczepanowski 2022-11-17 15:48:11 UTC

I did this:

[root@fs01 symptoms]# semodule -B
[root@fs01 symptoms]# setenforce 0
[root@fs01 symptoms]# ausearch -c samba-dcerpcd --raw| audit2allow -M sambalocal
[root@fs01 symptoms]# cat sambalocal.te

module sambalocal 1.0;

require {
        type fusefs_t;
        type ctdbd_t;
        type smbd_t;
        type ctdbd_var_run_t;
        type winbind_rpcd_t;
        type ctdbd_var_lib_t;
        class sock_file { getattr write };
        class unix_stream_socket { connectto read write };
        class file { getattr lock map open read setattr write };
        class dir { ioctl read search };
        class process { noatsecure rlimitinh siginh };
}

#============= smbd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };

#============= winbind_rpcd_t ==============

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_t:unix_stream_socket connectto;

#!!!! This avc has a dontaudit rule in the current policy
allow winbind_rpcd_t ctdbd_var_lib_t:dir search;

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_var_lib_t:file { getattr lock map open read setattr write };

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_var_run_t:sock_file { getattr write };

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t fusefs_t:dir { ioctl read };

And then I did semodule -i sambalocal.pp - now I can browse shares.
The suspect is a bug in selinux-policy, where (my guess) those two are not defined:

allow winbind_rpcd_t ctdbd_var_lib_t:dir search;
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };

Comment 3 Nikola Knazekova 2023-01-16 11:56:33 UTC

Hi Leszek,

thank you very much for detailed description.

Dontaudited permissons (noatsecure rlimitinh siginh) are expected, but this one may cause the problem:
allow winbind_rpcd_t ctdbd_var_lib_t:dir search;

So can you please try this allow rule in test cil module?

1. Disable your sambalocal:
# semodule -D sambalocal

2. Create test.cil:
$ vi test.cil

(allow winbind_rpcd_t ctdbd_var_lib_t ( dir ( search )))

3. And then 
# semodule -i test.cil

Thanks,
Nikola

Comment 5 Red Hat Bugzilla 2024-04-06 04:25:03 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.