2220943 – CIFS mount fails in selinux enforcing mode

Bug 2220943 - CIFS mount fails in selinux enforcing mode [NEEDINFO]

Summary: CIFS mount fails in selinux enforcing mode

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-06 15:34 UTC by Florence Blanc-Renaud
Modified:	2023-08-17 14:22 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:
Flags:	frenaud: needinfo? (zpytela)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1775	0	None	Draft	Grant cifs.upcall the sys_admin capability	2023-07-10 09:40:48 UTC

Internal Links: 2231737

Description Florence Blanc-Renaud 2023-07-06 15:34:36 UTC

FreeIPA upstream test test_smb.py is failing in enforcing mode. The test is installing an IPA server with adtrust, then sets up 2 machines as IPA clients.
The first client is setup as samba file server with "ipa-client-samba -U".
The second client tries to mount the share with "mount -t cifs //client1.testrelm.test/homes /mnt/smb -o sec=krb5i,multiuser" but the command fails.

Test source code: https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_smb.py

Failing run in enforcing mode: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/c152288e-19bd-11ee-ab7c-fa163efad384/report.html
Associated logs: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/c152288e-19bd-11ee-ab7c-fa163efad384/test_integration-test_smb.py-TestSMB-test_smb_access_for_ipa_user_at_ipa_client/client0.ipa.test/

Successful run on permissive mode: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/308447a4-1bef-11ee-9e91-fa163e472ef6/report.html
Associated logs: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/308447a4-1bef-11ee-9e91-fa163e472ef6/test_integration-test_smb.py-TestSMB-test_smb_access_for_ipa_user_at_ipa_client/client0.ipa.test/

Reproducible: Always

Steps to Reproduce:
1. install ipa server and setup and AD trust
2. install client1 as IPA client, configure as samba file server using ipa-client-samba
3. install client2 as IPA client, try to mount a file from client1 using "mount -t cifs //client1.testrelm.test/homes /mnt/smb -o sec=krb5i,multiuser"
Actual Results:  
The mount command fails:
ipa: ERROR: stderr: mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

Expected Results:  
mount should succeed.

pytest output:
2023-07-06T10:28:05-0400 [ipatests.pytest_ipa.integration.host.Host.client2.IPAOpenSSHTransport] INFO RUN ['mount', '-t', 'cifs', '//client1.testrelm.test/homes', '/mnt/smb', '-o', 'sec=krb5i,multiuser']
2023-07-06T10:28:05-0400 [ipatests.pytest_ipa.integration.host.Host.client2.cmd72] DEBUG RUN ['mount', '-t', 'cifs', '//client1.testrelm.test/homes', '/mnt/smb', '-o', 'sec=krb5i,multiuser']
2023-07-06T10:28:05-0400 [ipatests.pytest_ipa.integration.host.Host.client2.cmd72] DEBUG mount error(126): Required key not available
2023-07-06T10:28:05-0400 [ipatests.pytest_ipa.integration.host.Host.client2.cmd72] DEBUG Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
2023-07-06T10:28:05-0400 [ipatests.pytest_ipa.integration.host.Host.client2.cmd72] DEBUG Exit code: 32
2023-07-06T10:28:05-0400 [ipatests.pytest_ipa.integration.host.Host.client2.cmd72] ERROR stderr: mount error(126): Required key not available


Journal from client2:
Jul 06 14:28:06 client2.testrelm.test kernel: FS-Cache: Loaded
Jul 06 14:28:06 client2.testrelm.test kernel: Key type dns_resolver registered
Jul 06 14:28:06 client2.testrelm.test kernel: Key type cifs.spnego registered
Jul 06 14:28:06 client2.testrelm.test kernel: Key type cifs.idmap registered
Jul 06 14:28:06 client2.testrelm.test kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3.1.1 (or even SMB3 or SMB2.1) specify vers=1.0 on mount.
Jul 06 14:28:06 client2.testrelm.test kernel: CIFS: Attempting to mount \\client1.testrelm.test\homes
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14015]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=client1.testrelm.test;ip4=10.0.195.104;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x36b0
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14016]: ver=2
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14016]: host=client1.testrelm.test
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14016]: ip=10.0.195.104
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14016]: sec=1
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14016]: uid=0
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14016]: creduid=0
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14016]: user=root
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14016]: pid=14000
Jul 06 14:28:06 client2.testrelm.test kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
Jul 06 14:28:06 client2.testrelm.test kernel: CIFS: VFS: \\client1.testrelm.test Send error in SessSetup = -126
Jul 06 14:28:06 client2.testrelm.test audit[14015]: AVC avc:  denied  { sys_admin } for  pid=14015 comm="cifs.upcall" capability=21  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=0
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14015]: switch_to_process_ns: setns() failed for cgroup
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14015]: unable to switch to process namespace: Operation not permitted
Jul 06 14:28:06 client2.testrelm.test cifs.upcall[14015]: Exit status 1
Jul 06 14:28:06 client2.testrelm.test kernel: CIFS: VFS: cifs_mount failed w/return code = -126

client2 audit:
type=AVC msg=audit(1688653686.363:2082): avc:  denied  { sys_admin } for  pid=14015 comm="cifs.upcall" capability=21  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=0


There was a similar issue opened against selinux-policy-38.9-1.fc38 (BZ #2182643) but it was marked as fixed in selinux-policy-38.17-1.fc38 and my test is using selinux-policy-38.20-1.fc38.noarch.

Comment 1 Florence Blanc-Renaud 2023-07-06 15:38:11 UTC

# audit2why -a
...
type=AVC msg=audit(1688653686.363:2082): avc:  denied  { sys_admin } for  pid=14015 comm="cifs.upcall" capability=21  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

...

# audit2allow -a


#============= cifs_helper_t ==============
allow cifs_helper_t self:capability sys_admin;

Comment 2 Ondrej Mosnáček 2023-07-07 07:57:55 UTC

Hm... would be nice to know what triggers the need for CAP_SYS_ADMIN in this scenario. Could you please follow [1] on client2 to obtain a kernel backtrace for the denial?

[1] https://fedoraproject.org/wiki/SELinux/Debugging#Using_tracefs

Comment 3 Florence Blanc-Renaud 2023-07-07 13:30:49 UTC

Hi, here is the requested info.

# cat /sys/kernel/tracing/trace
# tracer: nop
#
# entries-in-buffer/entries-written: 10/10   #P:1
#
#                                _-----=> irqs-off/BH-disabled
#                               / _----=> need-resched
#                              | / _---=> hardirq/softirq
#                              || / _--=> preempt-depth
#                              ||| / _-=> migrate-disable
#                              |||| /     delay
#           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
#              | |         |   |||||     |         |
     cifs.upcall-14111   [000] .....  5816.895010: selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability
     cifs.upcall-14111   [000] .....  5816.895022: <stack trace>
 => trace_event_raw_event_selinux_audited
 => avc_audit_post_callback
 => common_lsm_audit
 => slow_avc_audit
 => cred_has_capability.isra.0
 => security_capable
 => ns_capable
 => cgroupns_install
 => __do_sys_setns
 => do_syscall_64
 => entry_SYSCALL_64_after_hwframe
     cifs.upcall-14270   [000] .....  5820.251543: selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability
     cifs.upcall-14270   [000] .....  5820.251554: <stack trace>
 => trace_event_raw_event_selinux_audited
 => avc_audit_post_callback
 => common_lsm_audit
 => slow_avc_audit
 => cred_has_capability.isra.0
 => security_capable
 => ns_capable
 => cgroupns_install
 => __do_sys_setns
 => do_syscall_64
 => entry_SYSCALL_64_after_hwframe
     cifs.upcall-14429   [000] .....  5824.037852: selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability
     cifs.upcall-14429   [000] .....  5824.037859: <stack trace>
 => trace_event_raw_event_selinux_audited
 => avc_audit_post_callback
 => common_lsm_audit
 => slow_avc_audit
 => cred_has_capability.isra.0
 => security_capable
 => ns_capable
 => cgroupns_install
 => __do_sys_setns
 => do_syscall_64
 => entry_SYSCALL_64_after_hwframe
     cifs.upcall-14689   [000] .....  5832.392893: selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability
     cifs.upcall-14689   [000] .....  5832.392905: <stack trace>
 => trace_event_raw_event_selinux_audited
 => avc_audit_post_callback
 => common_lsm_audit
 => slow_avc_audit
 => cred_has_capability.isra.0
 => security_capable
 => ns_capable
 => cgroupns_install
 => __do_sys_setns
 => do_syscall_64
 => entry_SYSCALL_64_after_hwframe
     cifs.upcall-15845   [000] .....  5860.861077: selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability
     cifs.upcall-15845   [000] .....  5860.861101: <stack trace>
 => trace_event_raw_event_selinux_audited
 => avc_audit_post_callback
 => common_lsm_audit
 => slow_avc_audit
 => cred_has_capability.isra.0
 => security_capable
 => ns_capable
 => cgroupns_install
 => __do_sys_setns
 => do_syscall_64
 => entry_SYSCALL_64_after_hwframe

Comment 4 Ondrej Mosnáček 2023-07-10 09:40:49 UTC

Ok, so cifs.upcall needs CAP_SYS_ADMIN to switch into the namespaces of the process extracted from the key description (see [1]). I opened a PR to add it to the cifs_helper_t domain, but now I noticed a few other denials in the logs from the permissive run (in comment #0):

----
type=AVC msg=audit(06.07.2023 13:56:06.881:1657) : avc:  denied  { write } for  pid=7642 comm=cifs.upcall name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=1251 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(06.07.2023 13:56:08.757:1690) : avc:  denied  { sys_ptrace } for  pid=7771 comm=cifs.upcall capability=sys_ptrace  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(06.07.2023 13:56:08.758:1691) : avc:  denied  { dac_read_search } for  pid=7771 comm=cifs.upcall capability=dac_read_search  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=1 

Could you run the scenario again in permissive mode with full auditing ([2]) enabled?

[1] https://github.com/aaptel/cifs-utils/blob/464a60344a324311a6f5bb326fdf5f422a3c9005/cifs.upcall.c#L1271-L1282
[2] https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Comment 5 Florence Blanc-Renaud 2023-07-17 13:02:12 UTC

In Permissive mode here is the output of ausearch:

# sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(07/17/2023 08:54:23.006:372) : avc:  denied  { map } for  pid=1 comm=systemd path=/etc/selinux/targeted/policy/policy.33 dev="vda5" ino=27108 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(07/17/2023 11:37:17.967:2116) : proctitle=cifs.upcall 415573170 
type=PATH msg=audit(07/17/2023 11:37:17.967:2116) : item=0 name=/var/run/.heim_org.h5l.kcm-socket inode=1711 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:37:17.967:2116) : cwd=/ 
type=SOCKADDR msg=audit(07/17/2023 11:37:17.967:2116) : saddr={ saddr_fam=local path=/var/run/.heim_org.h5l.kcm-socket } 
type=SYSCALL msg=audit(07/17/2023 11:37:17.967:2116) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7ffd5ea15630 a2=0x6e a3=0x50 items=1 ppid=13766 pid=14216 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:37:17.967:2116) : avc:  denied  { write } for  pid=14216 comm=cifs.upcall name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=1711 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(07/17/2023 11:37:20.404:2149) : proctitle=cifs.upcall 1047773058 
type=PATH msg=audit(07/17/2023 11:37:20.404:2149) : item=0 name=/proc/14327/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:37:20.404:2149) : cwd=/ 
type=SYSCALL msg=audit(07/17/2023 11:37:20.404:2149) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x7fff04fe6be0 a2=O_RDONLY a3=0x0 items=1 ppid=13332 pid=14345 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:37:20.404:2149) : avc:  denied  { sys_ptrace } for  pid=14345 comm=cifs.upcall capability=sys_ptrace  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2023 11:37:20.404:2150) : proctitle=cifs.upcall 1047773058 
type=PATH msg=audit(07/17/2023 11:37:20.404:2150) : item=0 name=/proc/14327/environ inode=52990 dev=00:14 mode=file,400 ouid=user1 ogid=user1 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:37:20.404:2150) : cwd=/ 
type=SYSCALL msg=audit(07/17/2023 11:37:20.404:2150) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7fff04fe6be0 a2=O_RDONLY a3=0x0 items=1 ppid=13332 pid=14345 auid=unset uid=root gid=user1 euid=root suid=root fsuid=root egid=user1 sgid=user1 fsgid=user1 tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:37:20.404:2150) : avc:  denied  { dac_read_search } for  pid=14345 comm=cifs.upcall capability=dac_read_search  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2023 11:37:20.405:2151) : proctitle=cifs.upcall 1047773058 
type=PATH msg=audit(07/17/2023 11:37:20.405:2151) : item=0 name=/var/run/.heim_org.h5l.kcm-socket inode=1711 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:37:20.405:2151) : cwd=/ 
type=SOCKADDR msg=audit(07/17/2023 11:37:20.405:2151) : saddr={ saddr_fam=local path=/var/run/.heim_org.h5l.kcm-socket } 
type=SYSCALL msg=audit(07/17/2023 11:37:20.405:2151) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7fff04fe64b0 a2=0x6e a3=0x50 items=1 ppid=13332 pid=14345 auid=unset uid=user1 gid=user1 euid=user1 suid=user1 fsuid=user1 egid=user1 sgid=user1 fsgid=user1 tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:37:20.405:2151) : avc:  denied  { write } for  pid=14345 comm=cifs.upcall name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=1711 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(07/17/2023 11:37:27.136:2305) : proctitle=cifs.upcall 805872443 
type=PATH msg=audit(07/17/2023 11:37:27.136:2305) : item=0 name=/proc/15000/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:37:27.136:2305) : cwd=/ 
type=SYSCALL msg=audit(07/17/2023 11:37:27.136:2305) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x7fff9b4dcf10 a2=O_RDONLY a3=0x0 items=1 ppid=13766 pid=15018 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:37:27.136:2305) : avc:  denied  { sys_ptrace } for  pid=15018 comm=cifs.upcall capability=sys_ptrace  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2023 11:37:27.136:2306) : proctitle=cifs.upcall 805872443 
type=PATH msg=audit(07/17/2023 11:37:27.136:2306) : item=0 name=/proc/15000/environ inode=54477 dev=00:14 mode=file,400 ouid=testuser ogid=testuser rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:37:27.136:2306) : cwd=/ 
type=SYSCALL msg=audit(07/17/2023 11:37:27.136:2306) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7fff9b4dcf10 a2=O_RDONLY a3=0x0 items=1 ppid=13766 pid=15018 auid=unset uid=root gid=testuser euid=root suid=root fsuid=root egid=testuser sgid=testuser fsgid=testuser tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:37:27.136:2306) : avc:  denied  { dac_read_search } for  pid=15018 comm=cifs.upcall capability=dac_read_search  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2023 11:37:27.137:2307) : proctitle=cifs.upcall 805872443 
type=PATH msg=audit(07/17/2023 11:37:27.137:2307) : item=0 name=/var/run/.heim_org.h5l.kcm-socket inode=1711 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:37:27.137:2307) : cwd=/ 
type=SOCKADDR msg=audit(07/17/2023 11:37:27.137:2307) : saddr={ saddr_fam=local path=/var/run/.heim_org.h5l.kcm-socket } 
type=SYSCALL msg=audit(07/17/2023 11:37:27.137:2307) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7fff9b4dc7e0 a2=0x6e a3=0x50 items=1 ppid=13766 pid=15018 auid=unset uid=testuser gid=testuser euid=testuser suid=testuser fsuid=testuser egid=testuser sgid=testuser fsgid=testuser tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:37:27.137:2307) : avc:  denied  { write } for  pid=15018 comm=cifs.upcall name=.heim_org.h5l.kcm-socket dev="tmpfs" ino=1711 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(07/17/2023 11:38:16.809:2832) : proctitle=cifs.upcall 528616685 
type=PATH msg=audit(07/17/2023 11:38:16.809:2832) : item=0 name=/proc/17568/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:38:16.809:2832) : cwd=/ 
type=SYSCALL msg=audit(07/17/2023 11:38:16.809:2832) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x7ffe144628f0 a2=O_RDONLY a3=0x0 items=1 ppid=13332 pid=17586 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:38:16.809:2832) : avc:  denied  { sys_ptrace } for  pid=17586 comm=cifs.upcall capability=sys_ptrace  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/17/2023 11:38:16.809:2833) : proctitle=cifs.upcall 528616685 
type=PATH msg=audit(07/17/2023 11:38:16.809:2833) : item=0 name=/proc/17568/environ inode=59074 dev=00:14 mode=file,400 ouid=user1 ogid=user1 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/17/2023 11:38:16.809:2833) : cwd=/ 
type=SYSCALL msg=audit(07/17/2023 11:38:16.809:2833) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7ffe144628f0 a2=O_RDONLY a3=0x0 items=1 ppid=13332 pid=17586 auid=unset uid=root gid=user1 euid=root suid=root fsuid=root egid=user1 sgid=user1 fsgid=user1 tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) 
type=AVC msg=audit(07/17/2023 11:38:16.809:2833) : avc:  denied  { dac_read_search } for  pid=17586 comm=cifs.upcall capability=dac_read_search  scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=1

Comment 8 Ondrej Mosnáček 2023-08-17 14:22:56 UTC

Sorry for the late reaction, this has slipped off my radar :( I have updated the pull request based on your logs and marked it as ready for review.

Note You need to log in before you can comment on or make changes to this bug.