Bug 2208845 - SELinux is preventing samba-dcerpcd from 'connectto' accesses on the unix_stream_socket /run/systemd/userdb/io.systemd.Machine.
Summary: SELinux is preventing samba-dcerpcd from 'connectto' accesses on the unix_str...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Unspecified
medium
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:80d28d8dc5a99bc5ce8e1fa7a10...
: 2209664 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-21 14:02 UTC by Hilário Fochi Silveira
Modified: 2023-07-28 18:25 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-38.15-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-31 17:32:20 UTC
Type: ---
Embargoed:
hilario: needinfo-

Attachments (Terms of Use)
File: os_info (699 bytes, text/plain)
2023-05-21 14:02 UTC, Hilário Fochi Silveira 		no flags Details
File: description (2.16 KB, text/plain)
2023-05-21 14:02 UTC, Hilário Fochi Silveira 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1699 0 None open Allow samba-dcerpcd connect to systemd_machined over a unix socket 2023-05-22 13:08:35 UTC

Description Hilário Fochi Silveira 2023-05-21 14:02:51 UTC 
Description of problem:
It begun with after installing Samba
SELinux is preventing samba-dcerpcd from 'connectto' accesses on the unix_stream_socket /run/systemd/userdb/io.systemd.Machine.

*****  Plugin catchall (100. confidence) suggests   **************************

Se você acredita nisso samba-dcerpcd deve ser permitido connectto acesso no io.systemd.Machine unix_stream_socket por padrão.
Then você deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso por agora executando:
# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd
# semodule -X 300 -i my-sambadcerpcd.pp

Additional Information:
Source Context                system_u:system_r:winbind_rpcd_t:s0
Target Context                system_u:system_r:systemd_machined_t:s0
Target Objects                /run/systemd/userdb/io.systemd.Machine [
                              unix_stream_socket ]
Source                        samba-dcerpcd
Source Path                   samba-dcerpcd
Port                          <Desconhecido>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.12-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.12-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.15-300.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu May 11 17:37:39 UTC 2023
                              x86_64
Alert Count                   12
First Seen                    2023-05-21 02:06:55 -03
Last Seen                     2023-05-21 02:13:22 -03
Local ID                      32f2ad33-f5ae-489a-8c3f-d6c7632eea6a

Raw Audit Messages
type=AVC msg=audit(1684646002.435:1902): avc:  denied  { connectto } for  pid=27491 comm="rpcd_winreg" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0


Hash: samba-dcerpcd,winbind_rpcd_t,systemd_machined_t,unix_stream_socket,connectto

Version-Release number of selected component:
selinux-policy-targeted-38.12-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
comment:        It begun with after installing Samba
reason:         SELinux is preventing samba-dcerpcd from 'connectto' accesses on the unix_stream_socket /run/systemd/userdb/io.systemd.Machine.
type:           libreport
kernel:         6.2.15-300.fc38.x86_64
component:      selinux-policy
package:        selinux-policy-targeted-38.12-1.fc38.noarch
hashmarkername: setroubleshoot
component:      selinux-policy
Comment 1 Hilário Fochi Silveira 2023-05-21 14:02:54 UTC 
Created attachment 1965985 [details]
File: os_info
Comment 2 Hilário Fochi Silveira 2023-05-21 14:02:55 UTC 
Created attachment 1965986 [details]
File: description
Comment 3 Zdenek Pytela 2023-05-22 13:08:35 UTC 
Hi,

Do you happen to know when exactly this denial appears? Have you made any related system changes which could trigger this issue?
Can you also try if this fix is sufficient?

f38# cat local_dcerpcd_machined.cil
(allow winbind_rpcd_t systemd_machined_t (unix_stream_socket (connectto)))
f38# semodule -i local_dcerpcd_machined.cil
Comment 4 Zdenek Pytela 2023-05-24 12:59:30 UTC 
*** Bug 2209664 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2023-05-30 19:31:43 UTC 
FEDORA-2023-a19eb5132c has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c
Comment 6 Fedora Update System 2023-05-31 02:50:49 UTC 
FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a19eb5132c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2023-05-31 17:32:20 UTC 
FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.