2143624 – SELinux blocks samba-dcerpcd component to direct access to the TDBs

Bug 2143624 - SELinux blocks samba-dcerpcd component to direct access to the TDBs [NEEDINFO]

Summary: SELinux blocks samba-dcerpcd component to direct access to the TDBs

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	CentOS Stream
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-17 12:02 UTC by Leszek Szczepanowski
Modified:	2023-08-01 19:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-01 19:29:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	nknazeko: needinfo? (leszek.szczepanowski) nknazeko: needinfo? (leszek.szczepanowski)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-139792	0	None	None	None	2022-11-17 12:08:57 UTC

Description Leszek Szczepanowski 2022-11-17 12:02:13 UTC

Description of problem:

When SELinux is in Enforcing mode, it prevents samba-dcerpcd from accesing /var/lib/ctdb/ and subfolders, despite the right fcontext applied to those folders:

[root@fs01 symptoms]# ls -lZ /var/lib/ctdb/
total 12
drwxr-xr-x. 2 root root system_u:object_r:ctdbd_var_lib_t:s0 4096 Nov 15 12:25 persistent
drwxr-xr-x. 3 root root system_u:object_r:ctdbd_var_lib_t:s0   67 Nov 15 17:37 scripts
drwxr-xr-x. 2 root root system_u:object_r:ctdbd_var_lib_t:s0 4096 Nov 15 15:18 state
drwxr-xr-x. 2 root root system_u:object_r:ctdbd_var_lib_t:s0 4096 Nov 11 17:59 volatile


Version-Release number of selected component (if applicable):

[root@fs01 symptoms]# uname -a
Linux xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
[root@fs01 symptoms]# cat /etc/redhat-release
CentOS Stream release 9

samba-common-4.16.4-101.el9.noarch
samba-client-libs-4.16.4-101.el9.x86_64
samba-common-libs-4.16.4-101.el9.x86_64
samba-libs-4.16.4-101.el9.x86_64
samba-common-tools-4.16.4-101.el9.x86_64
samba-4.16.4-101.el9.x86_64
samba-client-4.16.4-101.el9.x86_64
[root@fs01 symptoms]# rpm -qa | grep selinux-policy
selinux-policy-34.1.46-1.el9.noarch
selinux-policy-targeted-34.1.46-1.el9.noarch
selinux-policy-doc-34.1.46-1.el9.noarch

How reproducible:

Set enforcing to 1, and try to browse the shares on the Samba IP, this will be the result in /var/log/samba/log.samba-dcerpcd:

[2022/11/15 17:33:13,  0] ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
  Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission denied
[2022/11/15 17:33:13,  0] ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
  db_open: failed to attach to ctdb registry.tdb
[2022/11/15 17:33:13,  0] ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
  Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission denied
[2022/11/15 17:33:13,  0] ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
  db_open: failed to attach to ctdb registry.tdb
[2022/11/15 17:33:13,  1] ../../source3/registry/reg_backend_db.c:759(regdb_init)
  regdb_init: Failed to open registry /var/lib/samba/registry.tdb (Permission denied)
[2022/11/15 17:33:13,  0] ../../source3/registry/reg_init_basic.c:35(registry_init_common)
  Failed to initialize the registry: WERR_ACCESS_DENIED
[2022/11/15 17:33:13,  1] ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
  error initializing registry configuration: SBC_ERR_BADFILE
Can't load /etc/samba/smb.conf - run testparm to debug it
samba-dcerpcd - Failed to load config file!

Steps to Reproduce:
1. Enforcing mode of SELinux
2. Samba in Clustering mode with registry
3. Trying of browsing shares is failing (despite the share has a browseable flag on)

Actual results:

Browsing shares not possible with SELinux set to Enforcing, despite all 'denied' AVCs were allowed by creating a module.

Expected results:

Browsing possible with SELinux set to Enforcing.

Additional info:

Some kind of debugging:

[root@fs01 symptoms]# getenforce
Enforcing
[root@fs01 symptoms]# semodule -B
[root@fs01 symptoms]# setenforce 0
[root@fs01 symptoms]# ausearch -c samba-dcerpcd --raw| audit2allow -M sambalocal

module sambalocal 1.0;

require {
        type fusefs_t;
        type ctdbd_t;
        type smbd_t;
        type ctdbd_var_run_t;
        type winbind_rpcd_t;
        type ctdbd_var_lib_t;
        class sock_file { getattr write };
        class unix_stream_socket { connectto read write };
        class file { getattr lock map open read setattr write };
        class dir { ioctl read search };
        class process { noatsecure rlimitinh siginh };
}

#============= smbd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };

#============= winbind_rpcd_t ==============

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_t:unix_stream_socket connectto;

#!!!! This avc has a dontaudit rule in the current policy
allow winbind_rpcd_t ctdbd_var_lib_t:dir search;

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_var_lib_t:file { getattr lock map open read setattr write };

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_var_run_t:sock_file { getattr write };

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t fusefs_t:dir { ioctl read };

So even if this module is inserted, access is denied.

Some more logs with dontaudit setting (semodule -DB):

----
time->Wed Nov 16 19:38:54 2022
type=PROCTITLE msg=audit(1668623934.082:679): proctitle=6970006C696E6B0073686F7700656E703373306630
type=PATH msg=audit(1668623934.082:679): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=184550268 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1668623934.082:679): cwd="/"
type=EXECVE msg=audit(1668623934.082:679): argc=4 a0="ip" a1="link" a2="show" a3="enp3s0f0"
type=SYSCALL msg=audit(1668623934.082:679): arch=c000003e syscall=59 success=yes exit=0 a0=55a1b2de6c70 a1=55a1b2e4e900 a2=55a1b2e4dd90 a3=8 items=1 ppid=514421 pid=514422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1668623934.082:679): avc:  denied  { siginh } for  pid=514422 comm="ip" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=1
type=AVC msg=audit(1668623934.082:679): avc:  denied  { rlimitinh } for  pid=514422 comm="ip" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=1
type=AVC msg=audit(1668623934.082:679): avc:  denied  { read write } for  pid=514422 comm="ip" path="socket:[36143]" dev="sockfs" ino=36143 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1668623934.082:679): avc:  denied  { noatsecure } for  pid=514422 comm="10.interface.sc" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=1
----
time->Wed Nov 16 19:38:54 2022
type=PROCTITLE msg=audit(1668623934.783:682): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F73686172652F736574726F75626C6573686F6F742F536574726F75626C6573686F6F7450726976696C656765642E7079
type=EXECVE msg=audit(1668623934.783:682): argc=2 a0="/usr/bin/python3" a1="/usr/share/setroubleshoot/SetroubleshootPrivileged.py"
type=SYSCALL msg=audit(1668623934.783:682): arch=c000003e syscall=59 success=yes exit=0 a0=55d405041d70 a1=55d40542c830 a2=55d4053cffe0 a3=55d40543abc0 items=0 ppid=1 pid=514463 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="SetroubleshootP" exe="/usr/bin/python3.9" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1668623934.783:682): avc:  denied  { siginh } for  pid=514463 comm="SetroubleshootP" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
----
time->Wed Nov 16 19:39:02 2022
type=PROCTITLE msg=audit(1668623942.662:683): proctitle=2F7573722F6C6962657865632F73616D62612F73616D62612D64636572706364002D2D6C6962657865632D7270636473002D2D72656164792D7369676E616C2D66643D3334002D2D6E702D68656C706572002D2D64656275676C6576656C3D31
type=PATH msg=audit(1668623942.662:683): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=184550268 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1668623942.662:683): cwd="/tmp"
type=EXECVE msg=audit(1668623942.662:683): argc=5 a0="/usr/libexec/samba/samba-dcerpcd" a1="--libexec-rpcds" a2="--ready-signal-fd=34" a3="--np-helper" a4="--debuglevel=1"
type=SYSCALL msg=audit(1668623942.662:683): arch=c000003e syscall=59 success=yes exit=0 a0=5584e36ffd50 a1=5584e3733380 a2=5584e3710940 a3=8 items=1 ppid=365896 pid=514482 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(1668623942.662:683): avc:  denied  { siginh } for  pid=514482 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1668623942.662:683): avc:  denied  { rlimitinh } for  pid=514482 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1668623942.662:683): avc:  denied  { read write } for  pid=514482 comm="samba-dcerpcd" path="socket:[1438729]" dev="sockfs" ino=1438729 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1668623942.662:683): avc:  denied  { noatsecure } for  pid=514482 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=1
----
time->Wed Nov 16 19:39:02 2022
type=PROCTITLE msg=audit(1668623942.698:684): proctitle=2F7573722F6C6962657865632F73616D62612F73616D62612D64636572706364002D2D6C6962657865632D7270636473002D2D72656164792D7369676E616C2D66643D3334002D2D6E702D68656C706572002D2D64656275676C6576656C3D31
type=PATH msg=audit(1668623942.698:684): item=0 name="/var/lib/ctdb/persistent/registry.tdb.0" inode=251680171 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ctdbd_var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1668623942.698:684): cwd="/tmp"
type=SYSCALL msg=audit(1668623942.698:684): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=55c20a4aa540 a2=80002 a3=0 items=1 ppid=365896 pid=514482 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(1668623942.698:684): avc:  denied  { search } for  pid=514482 comm="samba-dcerpcd" name="ctdb" dev="dm-0" ino=234887861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=dir permissive=1
----
time->Wed Nov 16 19:39:09 2022
type=PROCTITLE msg=audit(1668623949.266:685): proctitle=6970006C696E6B0073686F7700656E703373306630
type=EXECVE msg=audit(1668623949.266:685): argc=4 a0="ip" a1="link" a2="show" a3="enp3s0f0"
type=SYSCALL msg=audit(1668623949.266:685): arch=c000003e syscall=59 success=yes exit=0 a0=558930d7ec70 a1=558930de6900 a2=558930de5d90 a3=8 items=0 ppid=514553 pid=514554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1668623949.266:685): avc:  denied  { read write } for  pid=514554 comm="ip" path="socket:[36143]" dev="sockfs" ino=36143 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1

Comment 1 Leszek Szczepanowski 2022-11-17 12:04:15 UTC

The issue is only with the browsing shares. Accessing the shares themselves, and read/write to them is OK.

Comment 2 Leszek Szczepanowski 2022-11-17 15:48:11 UTC

I did this:

[root@fs01 symptoms]# semodule -B
[root@fs01 symptoms]# setenforce 0
[root@fs01 symptoms]# ausearch -c samba-dcerpcd --raw| audit2allow -M sambalocal
[root@fs01 symptoms]# cat sambalocal.te

module sambalocal 1.0;

require {
        type fusefs_t;
        type ctdbd_t;
        type smbd_t;
        type ctdbd_var_run_t;
        type winbind_rpcd_t;
        type ctdbd_var_lib_t;
        class sock_file { getattr write };
        class unix_stream_socket { connectto read write };
        class file { getattr lock map open read setattr write };
        class dir { ioctl read search };
        class process { noatsecure rlimitinh siginh };
}

#============= smbd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };

#============= winbind_rpcd_t ==============

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_t:unix_stream_socket connectto;

#!!!! This avc has a dontaudit rule in the current policy
allow winbind_rpcd_t ctdbd_var_lib_t:dir search;

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_var_lib_t:file { getattr lock map open read setattr write };

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t ctdbd_var_run_t:sock_file { getattr write };

#!!!! This avc is allowed in the current policy
allow winbind_rpcd_t fusefs_t:dir { ioctl read };

And then I did semodule -i sambalocal.pp - now I can browse shares.
The suspect is a bug in selinux-policy, where (my guess) those two are not defined:

allow winbind_rpcd_t ctdbd_var_lib_t:dir search;
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };

Comment 3 Nikola Knazekova 2023-01-16 11:56:33 UTC

Hi Leszek,

thank you very much for detailed description.

Dontaudited permissons (noatsecure rlimitinh siginh) are expected, but this one may cause the problem:
allow winbind_rpcd_t ctdbd_var_lib_t:dir search;

So can you please try this allow rule in test cil module?

1. Disable your sambalocal:
# semodule -D sambalocal

2. Create test.cil:
$ vi test.cil

(allow winbind_rpcd_t ctdbd_var_lib_t ( dir ( search )))

3. And then 
# semodule -i test.cil

Thanks,
Nikola

Note You need to log in before you can comment on or make changes to this bug.