Bug 2210771 - [Regression] AVC reported when samba-dcerpcd tries to read Samba shares
Summary: [Regression] AVC reported when samba-dcerpcd tries to read Samba shares
Keywords:
Status: ON_QA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.8
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: rc
: 8.9
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2230365
TreeView+ depends on / blocked
 
Reported: 2023-05-29 12:51 UTC by Abhijeet Joshi
Modified: 2023-08-17 15:48 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.14.3-125.el8
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 2230365 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1786 0 None Draft Update winbind-rpcd policy for printing 2023-07-18 20:47:06 UTC
Github fedora-selinux selinux-policy pull 1807 0 None open Allow winbind-rpcd use its private tmp dirs and files 2023-08-01 09:54:34 UTC
Red Hat Issue Tracker RHELPLAN-158432 0 None None None 2023-05-29 12:55:00 UTC

Comment 1 Zdenek Pytela 2023-05-29 14:33:23 UTC 
Can you describe the scenario so that we can ensure no additional denials appear?
Comment 6 Pavel Filipensky 2023-07-25 12:08:29 UTC 
Discussed also with Andreas Schneider. Denis will create a test using virtual PDF Printer:
https://wiki.samba.org/index.php/Virtual_PDF_Printer
Comment 8 Andreas Schneider 2023-07-27 08:16:06 UTC 
Note that we have a config change at one point to use /var/tmp as the directory for temporary printing files.

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No


So the dcerpc process needs to be able to write to /var/tmp
Comment 9 Zdenek Pytela 2023-08-01 09:54:34 UTC 
I've added support for using private tmp files in rawhide. You can try the rawhide scratchbuild
https://github.com/fedora-selinux/selinux-policy/pull/1807
Checks -> Artifacts -> rpms.zip

Note from SELinux PoV there is no difference between /tmp and /var/tmp.
Comment 10 Robert Scheck 2023-08-02 09:09:01 UTC 
As of writing the following Samba configuration is used:

$ cat /etc/samba/smb.conf
[global]
	workgroup = SAMBA
	security = user
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes

[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @printadmin root
	force group = @printadmin
	create mask = 0664
	directory mask = 0775

[opsi_depot]
	available = yes
	comment = opsi depot share (ro)
	path = /var/lib/opsi/depot
	follow symlinks = yes
	writeable = no
	invalid users = root
	acl allow execute always = true

[opsi_depot_rw]
	available = yes
	comment = opsi depot share (rw)
	path = /var/lib/opsi/depot
	follow symlinks = yes
	writeable = yes
	invalid users = root

[opsi_images]
	available = yes
	comment = opsi ntfs images share (rw)
	path = /var/lib/opsi/ntfs-images
	writeable = yes
	invalid users = root

[opsi_workbench]
	available = yes
	comment = opsi workbench
	path = /var/lib/opsi/workbench
	writeable = yes
	invalid users = root
	create mask = 0660
	directory mask = 0770

[opsi_repository]
	available = yes
	comment = opsi repository share (ro)
	path = /var/lib/opsi/repository
	follow symlinks = yes
	writeable = no
	invalid users = root

[opsi_logs]
	available = yes
	comment = opsi logs share (ro)
	path = /var/log/opsi
	follow symlinks = yes
	writeable = no
	invalid users = root

[opsi_secrets$]
	available = yes
 	comment = local admin passwords (rw)
	path = /var/lib/opsi/secrets
	writable = yes
	invalid users = root
	follow symlinks = yes
$ 

There is no CUPS on the system installed (only cups-client-2.2.6-51.el8.x86_64, cups-libs-2.2.6-51.el8.x86_64).

A specific AVC denied message (where we do not know how to reproduce) that we see is:

type=AVC msg=audit(1690789093.891:70053): avc:  denied  { ioctl } for  pid=516629 comm="samba-dcerpcd" path="/var/lib/opsi/depot" dev="sdb1" ino=268820800 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1690789093.891:70053): arch=c000003e syscall=59 success=yes exit=0 a0=56406679f040 a1=56406679f5b0 a2=564066770550 a3=8 items=0 ppid=516533 pid=516629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=EXECVE msg=audit(1690789093.891:70053): argc=5 a0="/usr/libexec/samba/samba-dcerpcd" a1="--libexec-rpcds" a2="--ready-signal-fd=31" a3="--np-helper" a4="--debuglevel=0"
type=PROCTITLE msg=audit(1690789093.891:70053): proctitle=2F7573722F6C6962657865632F73616D62612F73616D62612D64636572706364002D2D6C6962657865632D7270636473002D2D72656164792D7369676E616C2D66643D3331002D2D6E702D68656C706572002D2D64656275676C6576656C3D30

Given the SELinux boolean samba_enable_home_dirs grants since RHEL 8.8 a lot to winbind_rpcd_t (resulting from other RHBZs), where is the issue to do the equivalent for samba_export_all_rw (and samba_export_all_ro)? Beause right now the latter two SELinux booleans grant nothing to winbind_rpcd_t.
Comment 17 Robert Scheck 2023-08-08 12:08:58 UTC 
I've been pointed by CEE/GSS based on case #03449210 to this bug report, but I can not see how https://github.com/fedora-selinux/selinux-policy/commit/2a1568bd76aa0959e4e02d95716b24b8d7f35ab3 (= selinux-policy-3.14.3-125.el8) would address our issue from comment #10 (which is the main issue of case #03449210).
Note You need to log in before you can comment on or make changes to this bug.