RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2152642 - AVC denied errors from samba-dcerpcd on Samba 4.16.4
Summary: AVC denied errors from samba-dcerpcd on Samba 4.16.4
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2023-01-24
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.7
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.8
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-12-12 15:24 UTC by Bijesh Thekkepat
Modified: 2023-05-16 11:02 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.3-115.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-16 09:04:19 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1519 0 None Merged Allow winbind-rpcd manage samba_share_t files and dirs 2022-12-19 15:00:18 UTC
Github fedora-selinux selinux-policy pull 1535 0 None Merged Allow winbind-rpcd make a TCP connection to the ldap port 2023-01-26 14:29:58 UTC
Red Hat Bugzilla 2150680 0 medium CLOSED SELinux samba-dcerpcd (Samba 4.16) access denied 2023-06-13 06:19:09 UTC
Red Hat Issue Tracker RHELPLAN-141916 0 None None None 2022-12-12 15:29:48 UTC
Red Hat Product Errata RHBA-2023:2965 0 None None None 2023-05-16 09:04:37 UTC

Description Bijesh Thekkepat 2022-12-12 15:24:20 UTC 
Description of problem:

With selinux enforcing on Samba 4.16.4 (RHEL 8.7) there is few seconds wait time while opening certain files (docx, pdf, ...) from Windows client ( tested on Windows Server 2016 Standard). Audit logs shows AVC denied errors for /usr/libexec/samba/samba-dcerpcd


Version-Release number of selected component (if applicable):
RHEL 8.7
samba-4.16.4-2.el8.x86_64
samba-libs-4.16.4-2.el8.x86_64
samba-client-4.16.4-2.el8.x86_64
samba-common-tools-4.16.4-2.el8.x86_64
samba-winbind-modules-4.16.4-2.el8.x86_64
samba-winbind-clients-4.16.4-2.el8.x86_64
samba-common-libs-4.16.4-2.el8.x86_64
samba-winbind-4.16.4-2.el8.x86_64
samba-common-4.16.4-2.el8.noarch
samba-client-libs-4.16.4-2.el8.x86_64


How reproducible:

With selinux enforcing as soon as we open a png file from the share, there is slight delay and audit logs shows avc:  denied for samba-dcerpcd

Actual results:

====
$ cat /var/log/samba/log.
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2022/12/06 12:50:18.746363,  0] ../../source3/passdb/pdb_interface.c:182(make_pdb_method_name)
  pdb backend ldapsam:ldap://127.0.0.1 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2022/12/06 12:50:18.746430,  0] ../../lib/util/fault.c:172(smb_panic_log)
  ===============================================================
[2022/12/06 12:50:18.746474,  0] ../../lib/util/fault.c:176(smb_panic_log)
  INTERNAL ERROR: pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://127.0.0.1
   in pid 6716 (4.16.4)
[2022/12/06 12:50:18.746509,  0] ../../lib/util/fault.c:181(smb_panic_log)
  If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2022/12/06 12:50:18.746521,  0] ../../lib/util/fault.c:182(smb_panic_log)
  ===============================================================
[2022/12/06 12:50:18.746532,  0] ../../lib/util/fault.c:184(smb_panic_log)
  PANIC (pid 6716): pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://127.0.0.1
   in 4.16.4
[2022/12/06 12:50:18.746748,  0] ../../lib/util/fault.c:288(log_stack_trace)
  BACKTRACE: 14 stack frames:
   #0 /lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7fb7b28ea7b4]
   #1 /lib64/libsamba-util.so.0(smb_panic+0xd) [0x7fb7b28eaa0d]
   #2 /lib64/libsamba-passdb.so.0(+0x1ce49) [0x7fb7b2850e49]
   #3 /lib64/libsamba-passdb.so.0(+0x1f495) [0x7fb7b2853495]
   #4 /lib64/libsamba-passdb.so.0(xid_to_sid+0xa3) [0x7fb7b284b8d3]
   #5 /lib64/libsamba-passdb.so.0(gid_to_sid+0x2b) [0x7fb7b284bbeb]
   #6 /usr/libexec/samba/samba-dcerpcd(+0x16ca9) [0x5650b44bcca9]
   #7 /usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x305) [0x5650b44bdc95]
   #8 /usr/libexec/samba/samba-dcerpcd(+0x105cf) [0x5650b44b65cf]
   #9 /usr/libexec/samba/samba-dcerpcd(+0x123a7) [0x5650b44b83a7]
   #10 /usr/libexec/samba/samba-dcerpcd(init_guest_session_info+0x60) [0x5650b44b8690]
   #11 /usr/libexec/samba/samba-dcerpcd(main+0x55f) [0x5650b44b13ef]
   #12 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fb7b1535d85]
   #13 /usr/libexec/samba/samba-dcerpcd(_start+0x2e) [0x5650b44b2f9e]



$ ausearch -m avc -i

ype=PROCTITLE msg=audit(12/06/2022 12:57:04.568:900) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2                                                                                                                
type=PATH msg=audit(12/06/2022 12:57:04.568:900) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=16976802 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/06/2022 12:57:04.568:900) : item=0 name=/usr/libexec/samba/samba-dcerpcd inode=25782681 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_rpcd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap
_frootid=0                                                                                                                           
type=CWD msg=audit(12/06/2022 12:57:04.568:900) : cwd=/tmp                                                                                                                                                                                                                        
type=EXECVE msg=audit(12/06/2022 12:57:04.568:900) : argc=5 a0=/usr/libexec/samba/samba-dcerpcd a1=--libexec-rpcds a2=--ready-signal-fd=35 a3=--np-helper a4=--debuglevel=2
type=SYSCALL msg=audit(12/06/2022 12:57:04.568:900) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5583b735f4b0 a1=0x5583b734e790 a2=0x5583b7348a00 a3=0x8 items=2 ppid=6789 pid=7057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=
root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(12/06/2022 12:57:04.568:900) : avc:  denied  { read } for  pid=7057 comm=samba-dcerpcd path=/shared/*****/***** dev="dm-0" ino=960522 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir permissive=0   
-

type=PROCTITLE msg=audit(12/06/2022 12:58:18.767:2236) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2 
type=SOCKADDR msg=audit(12/06/2022 12:58:18.767:2236) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 } 
type=SYSCALL msg=audit(12/06/2022 12:58:18.767:2236) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xf a1=0x55f673a4ace0 a2=0x10 a3=0x0 items=0 ppid=1 pid=7080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) 
type=AVC msg=audit(12/06/2022 12:58:18.767:2236) : avc:  denied  { name_connect } for  pid=7080 comm=samba-dcerpcd dest=389 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 
====

Expected results:

There should be selinux denials for samba-dcerpcd

Additional info:

Customer used below selinux policy module to temporarily fix the issue:

====
# my-samba-dcerpcd.te
module my-samba-dcerpcd 1.0;

require {
        type ldap_port_t;
        type winbind_rpcd_t;
        type samba_share_t;
        class file { ioctl read write getattr open };
        class dir { ioctl read };
        class tcp_socket name_connect;
}

#============= winbind_rpcd_t ==============
allow winbind_rpcd_t ldap_port_t:tcp_socket name_connect;
allow winbind_rpcd_t samba_share_t:dir { ioctl read };
allow winbind_rpcd_t samba_share_t:file { ioctl read write getattr open };
====
Comment 1 Zdenek Pytela 2022-12-19 15:00:19 UTC 
Andreas,

Should samba-dcerpcd be allowed to connect to ldap port?
Comment 2 Andreas Schneider 2022-12-19 16:53:28 UTC 
I think someone could configure a passdb backend for ldap. So yes, in that case we need to talk to the ldap port.
Comment 3 Zdenek Pytela 2022-12-22 12:17:10 UTC 
Thank you, Andreas.
Comment 5 Zdenek Pytela 2023-01-04 13:49:29 UTC 
Commits to backport:
e91d34918 (HEAD -> rawhide, upstream/rawhide) Allow winbind-rpcd make a TCP connection to the ldap port
9921e2392 Allow winbind-rpcd manage samba_share_t files and dirs
Comment 20 errata-xmlrpc 2023-05-16 09:04:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965
Note You need to log in before you can comment on or make changes to this bug.