RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2210771 - AVC reported when configuring custom print command in smb.conf
Summary: AVC reported when configuring custom print command in smb.conf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.8
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: rc
: 8.9
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2230365
TreeView+ depends on / blocked
 
Reported: 2023-05-29 12:51 UTC by Abhijeet Joshi
Modified: 2023-11-14 17:57 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.14.3-125.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2230365 (view as bug list)
Environment:
Last Closed: 2023-11-14 15:47:52 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1786 0 None Draft Update winbind-rpcd policy for printing 2023-07-18 20:47:06 UTC
Github fedora-selinux selinux-policy pull 1807 0 None open Allow winbind-rpcd use its private tmp dirs and files 2023-08-01 09:54:34 UTC
Red Hat Issue Tracker RHELPLAN-158432 0 None None None 2023-05-29 12:55:00 UTC
Red Hat Product Errata RHBA-2023:7091 0 None None None 2023-11-14 15:48:09 UTC

Comment 1 Zdenek Pytela 2023-05-29 14:33:23 UTC 
Can you describe the scenario so that we can ensure no additional denials appear?
Comment 6 Pavel Filipensky 2023-07-25 12:08:29 UTC 
Discussed also with Andreas Schneider. Denis will create a test using virtual PDF Printer:
https://wiki.samba.org/index.php/Virtual_PDF_Printer
Comment 8 Andreas Schneider 2023-07-27 08:16:06 UTC 
Note that we have a config change at one point to use /var/tmp as the directory for temporary printing files.

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No


So the dcerpc process needs to be able to write to /var/tmp
Comment 9 Zdenek Pytela 2023-08-01 09:54:34 UTC 
I've added support for using private tmp files in rawhide. You can try the rawhide scratchbuild
https://github.com/fedora-selinux/selinux-policy/pull/1807
Checks -> Artifacts -> rpms.zip

Note from SELinux PoV there is no difference between /tmp and /var/tmp.
Comment 10 Robert Scheck 2023-08-02 09:09:01 UTC 
As of writing the following Samba configuration is used:

$ cat /etc/samba/smb.conf
[global]
	workgroup = SAMBA
	security = user
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes

[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @printadmin root
	force group = @printadmin
	create mask = 0664
	directory mask = 0775

[opsi_depot]
	available = yes
	comment = opsi depot share (ro)
	path = /var/lib/opsi/depot
	follow symlinks = yes
	writeable = no
	invalid users = root
	acl allow execute always = true

[opsi_depot_rw]
	available = yes
	comment = opsi depot share (rw)
	path = /var/lib/opsi/depot
	follow symlinks = yes
	writeable = yes
	invalid users = root

[opsi_images]
	available = yes
	comment = opsi ntfs images share (rw)
	path = /var/lib/opsi/ntfs-images
	writeable = yes
	invalid users = root

[opsi_workbench]
	available = yes
	comment = opsi workbench
	path = /var/lib/opsi/workbench
	writeable = yes
	invalid users = root
	create mask = 0660
	directory mask = 0770

[opsi_repository]
	available = yes
	comment = opsi repository share (ro)
	path = /var/lib/opsi/repository
	follow symlinks = yes
	writeable = no
	invalid users = root

[opsi_logs]
	available = yes
	comment = opsi logs share (ro)
	path = /var/log/opsi
	follow symlinks = yes
	writeable = no
	invalid users = root

[opsi_secrets$]
	available = yes
 	comment = local admin passwords (rw)
	path = /var/lib/opsi/secrets
	writable = yes
	invalid users = root
	follow symlinks = yes
$ 

There is no CUPS on the system installed (only cups-client-2.2.6-51.el8.x86_64, cups-libs-2.2.6-51.el8.x86_64).

A specific AVC denied message (where we do not know how to reproduce) that we see is:

type=AVC msg=audit(1690789093.891:70053): avc:  denied  { ioctl } for  pid=516629 comm="samba-dcerpcd" path="/var/lib/opsi/depot" dev="sdb1" ino=268820800 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1690789093.891:70053): arch=c000003e syscall=59 success=yes exit=0 a0=56406679f040 a1=56406679f5b0 a2=564066770550 a3=8 items=0 ppid=516533 pid=516629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=EXECVE msg=audit(1690789093.891:70053): argc=5 a0="/usr/libexec/samba/samba-dcerpcd" a1="--libexec-rpcds" a2="--ready-signal-fd=31" a3="--np-helper" a4="--debuglevel=0"
type=PROCTITLE msg=audit(1690789093.891:70053): proctitle=2F7573722F6C6962657865632F73616D62612F73616D62612D64636572706364002D2D6C6962657865632D7270636473002D2D72656164792D7369676E616C2D66643D3331002D2D6E702D68656C706572002D2D64656275676C6576656C3D30

Given the SELinux boolean samba_enable_home_dirs grants since RHEL 8.8 a lot to winbind_rpcd_t (resulting from other RHBZs), where is the issue to do the equivalent for samba_export_all_rw (and samba_export_all_ro)? Beause right now the latter two SELinux booleans grant nothing to winbind_rpcd_t.
Comment 17 Robert Scheck 2023-08-08 12:08:58 UTC 
I've been pointed by CEE/GSS based on case #03449210 to this bug report, but I can not see how https://github.com/fedora-selinux/selinux-policy/commit/2a1568bd76aa0959e4e02d95716b24b8d7f35ab3 (= selinux-policy-3.14.3-125.el8) would address our issue from comment #10 (which is the main issue of case #03449210).
Comment 29 Robert Scheck 2023-08-29 08:05:39 UTC 
Given it feels like some Red Hat people mixed up two different issues in the same RHBZ, I would like to try to clarify this: Red Hat pointed us from case 03449210 to this RHBZ. We only care about the AVC denied messages in comment #10, our Samba configuration is exactly as in comment #10 - and we do not use any printing and we can not answer any printing related questions.
Comment 38 errata-xmlrpc 2023-11-14 15:47:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091
Note You need to log in before you can comment on or make changes to this bug.