Bug 2307812 - avc denials with samba's "io_uring" module
Summary: avc denials with samba's "io_uring" module
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 40
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-25 23:25 UTC by Matt Kinni
Modified: 2024-10-08 01:38 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-40.28-1.fc40
Clone Of:
Environment:
Last Closed: 2024-10-08 01:38:40 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2337 0 None open Allow samba use the io_uring API 2024-09-02 15:47:28 UTC

Description Matt Kinni 2024-08-25 23:25:03 UTC 
Hello,
I am getting the following denials accessing a samba share with "vfs objects = io_uring" enabled:

[root@fedora-4gb-nbg1-2 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(08/25/2024 22:56:47.375:253) : avc:  denied  { create } for  pid=1244 comm=smbd[127.0.0.1] anonclass=[io_uring] scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 
----
type=AVC msg=audit(08/25/2024 22:56:47.375:254) : avc:  denied  { map } for  pid=1244 comm=smbd[127.0.0.1] path=anon_inode:[io_uring] dev="anon_inodefs" ino=11089 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 
----
type=AVC msg=audit(08/25/2024 22:56:47.375:255) : avc:  denied  { read write } for  pid=1244 comm=smbd[127.0.0.1] path=anon_inode:[io_uring] dev="anon_inodefs" ino=11089 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 


Reproducible: Always

Steps to Reproduce:
1. dnf install samba samba-client samba-vfs-iouring policycoreutils-python-utils
2. mkdir /srv/share1 && chmod 777 /srv/share1
3. semanage fcontext -a -t samba_share_t '/srv(/.*)' && restorecon /srv/share1
4. In /etc/samba/smb.conf:
   [global]
       workgroup = SAMBA
       security = user
       map to guest = Bad Password

       passdb backend = tdbsam
       server multi channel support = no
       server smb encrypt = no

       vfs objects = streams_xattr io_uring

   [share1]
       path = /srv/share1
       available = yes
       browseable = yes
       writeable = yes
       guest ok = yes
5. systemctl start smb
6. setenforce 0 and then perform the following simple test to gather the denials:

touch myfile
smbclient --no-pass \\\\localhost\\share1
smb: \> put myfile
smb: \> get myfile
smb: \> quit
Actual Results:  
AVC denials that block accessing the share if selinux is Enforcing

Expected Results:  
No AVC denial

The repro steps were performed on a fresh F40 Hetzner VM with the following:
- selinux-policy-targeted-40.27-1.fc40.noarch
- kernel-core-6.10.6-200.fc40.x86_64
Comment 1 Fedora Update System 2024-10-02 18:44:25 UTC 
FEDORA-2024-75212378ea (selinux-policy-40.28-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-75212378ea
Comment 2 Fedora Update System 2024-10-03 03:38:21 UTC 
FEDORA-2024-75212378ea has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-75212378ea`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-75212378ea

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2024-10-08 01:38:40 UTC 
FEDORA-2024-75212378ea (selinux-policy-40.28-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.