2225377 – AVCs for accessing Samba registry

Bug 2225377 - AVCs for accessing Samba registry

Summary: AVCs for accessing Samba registry

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-25 06:48 UTC by Alexander Bokovoy
Modified:	2023-07-25 06:48 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexander Bokovoy 2023-07-25 06:48:35 UTC

FreeIPA upstream tests uncovered an issue in SELinux policy for Samba. Samba installs a dispatcher hook to NetworkManager and this hook is ran by the NetworkManager in a network status change situation.

When a network change happens, the hook runs a testparm to check whether configuration has been extended to provide an offline logon support.

In FreeIPA environment this means looking into the Samba registry. However, an SELinux policy does not allow 'NetworkManager_dispatcher_winbind_t' context to access 'samba_var_t' context.

http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/83a8ea8e-2a8b-11ee-8aec-fa163e33b8c8/test_integration-test_adtrust_install.py-TestIpaAdTrustInstall-uninstall/master.ipa.test/var/log/audit/audit.log.gz

type=SERVICE_START msg=audit(1690250776.068:4270): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1690250776.237:4271): avc:  denied  { read write } for  pid=15249 comm="testparm" name="registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1690250776.238:4272): avc:  denied  { open } for  pid=15249 comm="testparm" path="/var/lib/samba/registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1690250776.240:4273): avc:  denied  { lock } for  pid=15249 comm="testparm" path="/var/lib/samba/registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1690250776.240:4274): avc:  denied  { getattr } for  pid=15249 comm="testparm" path="/var/lib/samba/registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1690250776.240:4275): avc:  denied  { map } for  pid=15249 comm="testparm" path="/var/lib/samba/registry.tdb" dev="vda5" ino=215804 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=1


Reproducible: Always

Note You need to log in before you can comment on or make changes to this bug.