Description of problem: Attempting to access an automounted SMB share using Kerberos credentials cached in sss-kcm. SELinux is preventing cifs.upcall from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that cifs.upcall should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cifs.upcall' --raw | audit2allow -M my-cifsupcall # semodule -X 300 -i my-cifsupcall.pp Additional Information: Source Context system_u:system_r:cifs_helper_t:s0 Target Context system_u:system_r:cifs_helper_t:s0 Target Objects Unknown [ capability ] Source cifs.upcall Source Path cifs.upcall Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.4.9-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Aug 8 21:21:11 UTC 2023 x86_64 Alert Count 1 First Seen 2023-08-13 18:32:36 BST Last Seen 2023-08-13 18:32:36 BST Local ID 10279626-0309-45ad-8835-28412f7d9fef Raw Audit Messages type=AVC msg=audit(1691947956.205:393): avc: denied { sys_admin } for pid=7870 comm="cifs.upcall" capability=21 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=0 Hash: cifs.upcall,cifs_helper_t,cifs_helper_t,capability,sys_admin Version-Release number of selected component: selinux-policy-targeted-38.24-1.fc38.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing cifs.upcall from using the 'sys_admin' capabilities. package: selinux-policy-targeted-38.24-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.4.9-200.fc38.x86_64 comment: Attempting to access an automounted SMB share using Kerberos credentials cached in sss-kcm. component: selinux-policy
Created attachment 1983216 [details] File: description
Created attachment 1983217 [details] File: os_info
Note that there's a pattern of alerts related to cifs.upcall -- this is the .te file generated by audit2allow in this case: module my-cifsupcall 1.0; require { type syslogd_var_run_t; type nsfs_t; type mount_t; type kerberos_port_t; type keyutils_request_t; type sssd_public_t; type sssd_t; type cert_t; type sssd_var_run_t; type kernel_t; type bin_t; type cifs_helper_t; type krb5_conf_t; type passwd_file_t; type init_var_run_t; type sssd_var_lib_t; type devlog_t; class file { getattr map open read }; class lnk_file read; class sock_file write; class dir { getattr open read search }; class unix_dgram_socket sendto; class process setcap; class capability { setgid setuid sys_admin sys_chroot sys_ptrace }; class tcp_socket { connect create getopt name_connect setopt }; class unix_stream_socket connectto; } #============= cifs_helper_t ============== allow cifs_helper_t self:capability { sys_admin sys_ptrace }; allow cifs_helper_t sssd_var_run_t:sock_file write; #============= keyutils_request_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow keyutils_request_t bin_t:file map; allow keyutils_request_t cert_t:dir search; allow keyutils_request_t cert_t:file { getattr open read }; #!!!! This avc is allowed in the current policy allow keyutils_request_t devlog_t:lnk_file read; #!!!! This avc is allowed in the current policy allow keyutils_request_t devlog_t:sock_file write; #!!!! This avc is allowed in the current policy allow keyutils_request_t init_var_run_t:dir search; allow keyutils_request_t kerberos_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy allow keyutils_request_t kernel_t:unix_dgram_socket sendto; allow keyutils_request_t krb5_conf_t:file { getattr open read }; allow keyutils_request_t mount_t:dir search; allow keyutils_request_t mount_t:file { open read }; allow keyutils_request_t mount_t:lnk_file read; allow keyutils_request_t nsfs_t:file { getattr open read }; allow keyutils_request_t passwd_file_t:file { getattr open read }; allow keyutils_request_t self:capability { setgid setuid sys_chroot sys_ptrace }; allow keyutils_request_t self:process setcap; allow keyutils_request_t self:tcp_socket { connect create getopt setopt }; allow keyutils_request_t sssd_public_t:dir { getattr open read search }; allow keyutils_request_t sssd_public_t:file { getattr open read }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow keyutils_request_t sssd_public_t:file map; allow keyutils_request_t sssd_t:unix_stream_socket connectto; allow keyutils_request_t sssd_var_lib_t:dir search; allow keyutils_request_t sssd_var_run_t:sock_file write; #!!!! This avc is allowed in the current policy allow keyutils_request_t syslogd_var_run_t:dir search;
James, Do you know when these issues started to happen, like some particular update? Can you please gather more details with full auditing enabled? https://bugzilla.redhat.com/show_bug.cgi?id=2220943
I don't really know when it started (updated to selinux-policy-targeted-38.22-1.fc38.noarch from 38.21-1 on 1 Aug) since dnf won't allow me to downgrade, and I don't use SMB very often on this machine (mostly NFS). The full audit data: type=PROCTITLE msg=audit(15/08/23 22:30:08.434:1983) : proctitle=cifs.upcall 335004708 type=SYSCALL msg=audit(15/08/23 22:30:08.434:1983) : arch=x86_64 syscall=setns success=no exit=EPERM(Operation not permitted) a0=0x4 a1=CLONE_STOPPED a2=0x563a157a5040 a3=0x0 items=0 ppid=132135 pid=132502 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cifs.upcall exe=/usr/sbin/cifs.upcall subj=system_u:system_r:cifs_helper_t:s0 key=(null) type=AVC msg=audit(15/08/23 22:30:08.434:1983) : avc: denied { sys_admin } for pid=132502 comm=cifs.upcall capability=sys_admin scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability permissive=0 Kernel calltrace from perf: cifs.upcall 132220 [013] 187746.482896: avc:selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontex> ffffffff916e1a35 avc_audit_post_callback+0x205 ([kernel.kallsyms]) ffffffff916e1a35 avc_audit_post_callback+0x205 ([kernel.kallsyms]) ffffffff9170a922 common_lsm_audit+0x2b2 ([kernel.kallsyms]) ffffffff916e2d0c slow_avc_audit+0xbc ([kernel.kallsyms]) ffffffff916e7f1a cred_has_capability.isra.0+0x11a ([kernel.kallsyms]) ffffffff916dc234 security_capable+0x44 ([kernel.kallsyms]) ffffffff9111e02b ns_capable+0x2b ([kernel.kallsyms]) ffffffff91219e77 cgroupns_install+0x27 ([kernel.kallsyms]) ffffffff911459a4 __do_sys_setns+0x184 ([kernel.kallsyms]) ffffffff91f99360 do_syscall_64+0x60 ([kernel.kallsyms]) ffffffff920000f3 entry_SYSCALL_64_after_hwframe+0x77 ([kernel.kallsyms]) 7f3a81945e2b setns+0xb (/usr/lib64/libc.so.6) 558bffe7ebd5 [unknown] (/usr/sbin/cifs.upcall) 7f3a81859b49 __libc_start_call_main+0x79 (/usr/lib64/libc.so.6) 7f3a81859c0a __libc_start_main@@GLIBC_2.34+0x8a (/usr/lib64/libc.so.6) 558bffe80064 [unknown] (/usr/sbin/cifs.upcall) /sys/kernel/tracing/trace: # entries-in-buffer/entries-written: 2/2 #P:16 # # _-----=> irqs-off/BH-disabled # / _----=> need-resched # | / _---=> hardirq/softirq # || / _--=> preempt-depth # ||| / _-=> migrate-disable # |||| / delay # TASK-PID CPU# ||||| TIMESTAMP FUNCTION # | | | ||||| | | cifs.upcall-132286 [009] ..... 187807.205554: selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:cifs_helper_t:s0 tclass=capability cifs.upcall-132286 [009] ..... 187807.205562: <stack trace> => trace_event_raw_event_selinux_audited => avc_audit_post_callback => common_lsm_audit => slow_avc_audit => cred_has_capability.isra.0 => security_capable => ns_capable => cgroupns_install => __do_sys_setns => do_syscall_64 => entry_SYSCALL_64_after_hwframe