FreeIPA upstream tests uncovered an issue in SELinux policy for Samba. Samba installs a dispatcher hook to NetworkManager and this hook is ran by the NetworkManager in a network status change situation. When a network change happens, the hook runs a testparm to check whether configuration has been extended to provide an offline logon support. In FreeIPA environment this means looking into the Samba registry. However, an SELinux policy does not allow 'NetworkManager_dispatcher_winbind_t' context to access 'samba_var_t' context. http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/83a8ea8e-2a8b-11ee-8aec-fa163e33b8c8/test_integration-test_adtrust_install.py-TestIpaAdTrustInstall-uninstall/master.ipa.test/var/log/audit/audit.log.gz type=SERVICE_START msg=audit(1690250776.068:4270): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1690250776.237:4271): avc: denied { read write } for pid=15249 comm="testparm" name="registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1 type=AVC msg=audit(1690250776.238:4272): avc: denied { open } for pid=15249 comm="testparm" path="/var/lib/samba/registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1 type=AVC msg=audit(1690250776.240:4273): avc: denied { lock } for pid=15249 comm="testparm" path="/var/lib/samba/registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1 type=AVC msg=audit(1690250776.240:4274): avc: denied { getattr } for pid=15249 comm="testparm" path="/var/lib/samba/registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1 type=AVC msg=audit(1690250776.240:4275): avc: denied { map } for pid=15249 comm="testparm" path="/var/lib/samba/registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1 Reproducible: Always
FEDORA-2023-79e968d189 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-79e968d189
FEDORA-2023-79e968d189 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-79e968d189` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-79e968d189 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-79e968d189 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.