Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2152642

Summary: AVC denied errors from samba-dcerpcd on Samba 4.16.4
Product: Red Hat Enterprise Linux 8 Reporter: Bijesh Thekkepat <bthekkep>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: asn, dkarpele, gdeschner, lvrabec, mmalik, nknazeko, pfilipen, pkulkarn
Target Milestone: rcKeywords: Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-115.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:04:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-01-24   

Description Bijesh Thekkepat 2022-12-12 15:24:20 UTC 
Description of problem:

With selinux enforcing on Samba 4.16.4 (RHEL 8.7) there is few seconds wait time while opening certain files (docx, pdf, ...) from Windows client ( tested on Windows Server 2016 Standard). Audit logs shows AVC denied errors for /usr/libexec/samba/samba-dcerpcd


Version-Release number of selected component (if applicable):
RHEL 8.7
samba-4.16.4-2.el8.x86_64
samba-libs-4.16.4-2.el8.x86_64
samba-client-4.16.4-2.el8.x86_64
samba-common-tools-4.16.4-2.el8.x86_64
samba-winbind-modules-4.16.4-2.el8.x86_64
samba-winbind-clients-4.16.4-2.el8.x86_64
samba-common-libs-4.16.4-2.el8.x86_64
samba-winbind-4.16.4-2.el8.x86_64
samba-common-4.16.4-2.el8.noarch
samba-client-libs-4.16.4-2.el8.x86_64


How reproducible:

With selinux enforcing as soon as we open a png file from the share, there is slight delay and audit logs shows avc:  denied for samba-dcerpcd

Actual results:

====
$ cat /var/log/samba/log.
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2022/12/06 12:50:18.746363,  0] ../../source3/passdb/pdb_interface.c:182(make_pdb_method_name)
  pdb backend ldapsam:ldap://127.0.0.1 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2022/12/06 12:50:18.746430,  0] ../../lib/util/fault.c:172(smb_panic_log)
  ===============================================================
[2022/12/06 12:50:18.746474,  0] ../../lib/util/fault.c:176(smb_panic_log)
  INTERNAL ERROR: pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://127.0.0.1
   in pid 6716 (4.16.4)
[2022/12/06 12:50:18.746509,  0] ../../lib/util/fault.c:181(smb_panic_log)
  If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2022/12/06 12:50:18.746521,  0] ../../lib/util/fault.c:182(smb_panic_log)
  ===============================================================
[2022/12/06 12:50:18.746532,  0] ../../lib/util/fault.c:184(smb_panic_log)
  PANIC (pid 6716): pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://127.0.0.1
   in 4.16.4
[2022/12/06 12:50:18.746748,  0] ../../lib/util/fault.c:288(log_stack_trace)
  BACKTRACE: 14 stack frames:
   #0 /lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7fb7b28ea7b4]
   #1 /lib64/libsamba-util.so.0(smb_panic+0xd) [0x7fb7b28eaa0d]
   #2 /lib64/libsamba-passdb.so.0(+0x1ce49) [0x7fb7b2850e49]
   #3 /lib64/libsamba-passdb.so.0(+0x1f495) [0x7fb7b2853495]
   #4 /lib64/libsamba-passdb.so.0(xid_to_sid+0xa3) [0x7fb7b284b8d3]
   #5 /lib64/libsamba-passdb.so.0(gid_to_sid+0x2b) [0x7fb7b284bbeb]
   #6 /usr/libexec/samba/samba-dcerpcd(+0x16ca9) [0x5650b44bcca9]
   #7 /usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x305) [0x5650b44bdc95]
   #8 /usr/libexec/samba/samba-dcerpcd(+0x105cf) [0x5650b44b65cf]
   #9 /usr/libexec/samba/samba-dcerpcd(+0x123a7) [0x5650b44b83a7]
   #10 /usr/libexec/samba/samba-dcerpcd(init_guest_session_info+0x60) [0x5650b44b8690]
   #11 /usr/libexec/samba/samba-dcerpcd(main+0x55f) [0x5650b44b13ef]
   #12 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fb7b1535d85]
   #13 /usr/libexec/samba/samba-dcerpcd(_start+0x2e) [0x5650b44b2f9e]



$ ausearch -m avc -i

ype=PROCTITLE msg=audit(12/06/2022 12:57:04.568:900) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2                                                                                                                
type=PATH msg=audit(12/06/2022 12:57:04.568:900) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=16976802 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/06/2022 12:57:04.568:900) : item=0 name=/usr/libexec/samba/samba-dcerpcd inode=25782681 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_rpcd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap
_frootid=0                                                                                                                           
type=CWD msg=audit(12/06/2022 12:57:04.568:900) : cwd=/tmp                                                                                                                                                                                                                        
type=EXECVE msg=audit(12/06/2022 12:57:04.568:900) : argc=5 a0=/usr/libexec/samba/samba-dcerpcd a1=--libexec-rpcds a2=--ready-signal-fd=35 a3=--np-helper a4=--debuglevel=2
type=SYSCALL msg=audit(12/06/2022 12:57:04.568:900) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5583b735f4b0 a1=0x5583b734e790 a2=0x5583b7348a00 a3=0x8 items=2 ppid=6789 pid=7057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=
root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(12/06/2022 12:57:04.568:900) : avc:  denied  { read } for  pid=7057 comm=samba-dcerpcd path=/shared/*****/***** dev="dm-0" ino=960522 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir permissive=0   
-

type=PROCTITLE msg=audit(12/06/2022 12:58:18.767:2236) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2 
type=SOCKADDR msg=audit(12/06/2022 12:58:18.767:2236) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 } 
type=SYSCALL msg=audit(12/06/2022 12:58:18.767:2236) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xf a1=0x55f673a4ace0 a2=0x10 a3=0x0 items=0 ppid=1 pid=7080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) 
type=AVC msg=audit(12/06/2022 12:58:18.767:2236) : avc:  denied  { name_connect } for  pid=7080 comm=samba-dcerpcd dest=389 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 
====

Expected results:

There should be selinux denials for samba-dcerpcd

Additional info:

Customer used below selinux policy module to temporarily fix the issue:

====
# my-samba-dcerpcd.te
module my-samba-dcerpcd 1.0;

require {
        type ldap_port_t;
        type winbind_rpcd_t;
        type samba_share_t;
        class file { ioctl read write getattr open };
        class dir { ioctl read };
        class tcp_socket name_connect;
}

#============= winbind_rpcd_t ==============
allow winbind_rpcd_t ldap_port_t:tcp_socket name_connect;
allow winbind_rpcd_t samba_share_t:dir { ioctl read };
allow winbind_rpcd_t samba_share_t:file { ioctl read write getattr open };
====
Comment 1 Zdenek Pytela 2022-12-19 15:00:19 UTC 
Andreas,

Should samba-dcerpcd be allowed to connect to ldap port?
Comment 2 Andreas Schneider 2022-12-19 16:53:28 UTC 
I think someone could configure a passdb backend for ldap. So yes, in that case we need to talk to the ldap port.
Comment 3 Zdenek Pytela 2022-12-22 12:17:10 UTC 
Thank you, Andreas.
Comment 5 Zdenek Pytela 2023-01-04 13:49:29 UTC 
Commits to backport:
e91d34918 (HEAD -> rawhide, upstream/rawhide) Allow winbind-rpcd make a TCP connection to the ldap port
9921e2392 Allow winbind-rpcd manage samba_share_t files and dirs
Comment 20 errata-xmlrpc 2023-05-16 09:04:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965