741967 – SE Linux policies for Clustered Samba commands

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 741967 - SE Linux policies for Clustered Samba commands

Summary: SE Linux policies for Clustered Samba commands

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	719738
Blocks:	672641
TreeView+	depends on / blocked

Reported:	2011-09-28 15:54 UTC by Nate Straz
Modified:	2012-09-27 12:06 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.7.19-116.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	719738
Environment:
Last Closed:	2011-12-06 10:19:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ausearch output from dash-01 (82.31 KB, text/plain) 2011-09-28 19:51 UTC, Nate Straz	no flags	Details
AVCs seen when running the automated test in permissive mode (14.03 KB, text/plain) 2011-09-29 09:20 UTC, Milos Malik	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Nate Straz 2011-09-28 15:54:15 UTC

+++ This bug was initially created as a clone of Bug #719738 +++

I found another command that doesn't work when selinux is enabled with clustering on in samba.  smbcontrol needs access to ctdb.socket.


type=AVC msg=audit(1317220776.455:50562): avc:  denied  { write } for  pid=11780 comm="smbcontrol" name="ctdb.socket" dev=dm-0 ino=1831426 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file

--- Additional comment from dwalsh on 2011-09-28 11:33:42 EDT ---

That is a different bug.

Miroslav lets add

optional_policy(`
	ctdbd_stream_connect(smbcontrol_t)
')

I think the rest of the bug reported here is fixed in the latest RHEL6 policy?

Comment 1 Nate Straz 2011-09-28 16:01:02 UTC

Looking through audit.log shows that winbindd probably needs the same policy change.

type=AVC msg=audit(1317076246.144:48811): avc:  denied  { write } for  pid=5425 comm="winbindd" name="ctdb.socket" dev=dm-0 ino=1831426 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file

Comment 3 Daniel Walsh 2011-09-28 19:32:59 UTC

Do you know if these actual programs need to talk to this socket?  Or could this be a leak?  Can you attach the full output of 

ausearch -m avc

Comment 4 Nate Straz 2011-09-28 19:51:52 UTC

Created attachment 525391 [details]
ausearch output from dash-01

Yeah, I'm pretty sure they do.  I was trying to reload the samba config with smbcontrol and CTDB also manages winbindd when asked to.

Comment 5 Miroslav Grepl 2011-09-29 07:38:46 UTC

Ok, I will add it. 

For other AVC msgs, AFAIK we discussed it in

https://bugzilla.redhat.com/show_bug.cgi?id=719738

and you need to run all needed steps in this bug and also please test it with the latest policy. Thanks.

Comment 6 Milos Malik 2011-09-29 08:08:21 UTC

Both nmbd and winbindd need a change in policy:

# ausearch -m avc -m user_avc -ts today -i
----
type=PATH msg=audit(09/29/2011 10:04:31.134:152) : item=0 name=(null) inode=18340 dev=fd:00 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ctdbd_tmp_t:s0 
type=SOCKADDR msg=audit(09/29/2011 10:04:31.134:152) : saddr=local /tmp/ctdb.socket 
type=SOCKETCALL msg=audit(09/29/2011 10:04:31.134:152) : nargs=3 a0=7 a1=bfd1a98e a2=6e 
type=SYSCALL msg=audit(09/29/2011 10:04:31.134:152) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd1a900 a2=c64ff4 a3=16cdd68 items=1 ppid=14549 pid=14550 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=winbindd exe=/usr/sbin/winbindd subj=unconfined_u:system_r:winbind_t:s0 key=(null) 
type=AVC msg=audit(09/29/2011 10:04:31.134:152) : avc:  denied  { write } for  pid=14550 comm=winbindd name=ctdb.socket dev=dm-0 ino=18340 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file 
----
type=PATH msg=audit(09/29/2011 10:05:56.610:153) : item=0 name=(null) inode=18340 dev=fd:00 mode=socket,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ctdbd_tmp_t:s0 
type=SOCKADDR msg=audit(09/29/2011 10:05:56.610:153) : saddr=local /tmp/ctdb.socket 
type=SOCKETCALL msg=audit(09/29/2011 10:05:56.610:153) : nargs=3 a0=7 a1=bfd4777e a2=6e 
type=SYSCALL msg=audit(09/29/2011 10:05:56.610:153) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd476f0 a2=100cff4 a3=196cd80 items=1 ppid=14913 pid=14914 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=nmbd exe=/usr/sbin/nmbd subj=unconfined_u:system_r:nmbd_t:s0 key=(null) 
type=AVC msg=audit(09/29/2011 10:05:56.610:153) : avc:  denied  { write } for  pid=14914 comm=nmbd name=ctdb.socket dev=dm-0 ino=18340 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file 
#

Comment 7 Miroslav Grepl 2011-09-29 08:35:39 UTC

Make sense

Comment 8 Milos Malik 2011-09-29 09:20:50 UTC

Created attachment 525494 [details]
AVCs seen when running the automated test in permissive mode

Comment 9 Miroslav Grepl 2011-09-29 10:21:44 UTC

I am fixing them.

Comment 10 Miroslav Grepl 2011-10-03 14:00:35 UTC

Fixed in selinux-policy-3.7.19-114.el6

Comment 13 Miroslav Grepl 2011-10-07 07:36:11 UTC

Ok, I found a typo in the samba policy file.

Comment 14 Miroslav Grepl 2011-10-12 18:18:34 UTC

Fixed in selinux-policy-3.7.19-116.el6

Comment 16 errata-xmlrpc 2011-12-06 10:19:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.