Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2083511 - samba-dcerpcd and samba rpcd programs need selinux-policy permissions
Summary: samba-dcerpcd and samba rpcd programs need selinux-policy permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2083504 2083509
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-10 09:33 UTC by Pavel Filipensky
Modified: 2022-12-15 16:18 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-36.13-3.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2083509
Environment:
Last Closed: 2022-08-05 01:34:26 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1219 0 None Draft Add support for samba-dcerpcd 2022-06-01 19:34:11 UTC
Github fedora-selinux selinux-policy pull 1229 0 None Merged Update policy for samba-dcerpcd 2022-06-09 09:49:33 UTC

Description Pavel Filipensky 2022-05-10 09:33:20 UTC
+++ This bug was initially created as a clone of Bug #2083509 +++

+++ This bug was initially created as a clone of Bug #2083504 +++

After Fedra f36 and rawhide rebase to samba 4.16.1 the samba test fails because of missing selinux policy permissions. Samba has added new programs (Release Notes https://www.samba.org/samba/history/samba-4.16.0.html).

Please give the needed permissions to these programs:

# ls -lZ /usr/libexec/samba/
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0      34 Apr 23  2021 cups_backend_smb -> /etc/alternatives/cups_backend_smb
-rwxr-xr-x  1 root root ?                          1428008 Feb 15 12:31 rpcd_classic
-rwxr-xr-x  1 root root ?                            45168 Feb 15 12:31 rpcd_epmapper
-rwxr-xr-x  1 root root ?                            78104 Feb 15 12:31 rpcd_fsrvp
-rwxr-xr-x  1 root root ?                           424552 Feb 15 12:31 rpcd_lsad
-rwxr-xr-x  1 root root ?                           128712 Feb 15 12:31 rpcd_mdssvc
-rwxr-xr-x  1 root root ?                            28768 Feb 15 12:31 rpcd_rpcecho
-rwxr-xr-x  1 root root ?                           512976 Feb 15 12:31 rpcd_spoolss
-rwxr-xr-x  1 root root ?                            90712 Feb 15 12:31 rpcd_winreg
-rwxr-xr-x  1 root root ?                           525464 Feb 15 12:31 samba-bgqd
-rwxr-xr-x  1 root root ?                           197960 Feb 15 12:31 samba-dcerpcd


The denied access is here:


avc:  denied  { write } for  pid=53381 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs"
avc:  denied  { setgid } for  pid=53485 comm="rpcd_lsad"


and here:


type=AVC msg=audit(1652102482.309:2296): avc:  denied  { setgid } for  pid=52973 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0            
type=AVC msg=audit(1652102482.934:2300): avc:  denied  { setgid } for  pid=52995 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1652102483.579:2304): avc:  denied  { setgid } for  pid=53015 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1652102484.263:2308): avc:  denied  { setgid } for  pid=53035 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1652102484.985:2312): avc:  denied  { setgid } for  pid=53056 comm="rpcd_lsad" capability=6  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0


Full logs:


http://idm-artifacts.usersys.redhat.com/samba/Nightly/RHEL8.7/2022-04-17/tier-1/tier1_ws2019/7/tier1-restraint.01/recipes/1/tasks/10/results/1652101918/logs/avc.log
http://idm-artifacts.usersys.redhat.com/samba/Nightly/RHEL8.7/2022-04-17/tier-1/tier1_ws2019/7/tier1-restraint.01/recipes/1/tasks/10/results/1652101914/logs/avc.log

--- Additional comment from Pavel Filipensky on 2022-05-10 09:27:54 UTC ---

The denied access: denied  { write } for  pid=53381 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs"
needs to be fixed via granting access for "/run"  (for pid files) - see smb.conf(5):

   pid directory (G)

       This option specifies the directory where pid files will be placed.

       Default: pid directory = /run

       Example: pid directory = /var/run/

Comment 1 Milos Malik 2022-05-10 14:30:12 UTC
Following SELinux denial appears multiple times in enforcing mode:
----
type=PROCTITLE msg=audit(05/10/2022 10:26:25.856:667) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=5 --worker-index=5 --debuglevel=0 
type=SYSCALL msg=audit(05/10/2022 10:26:25.856:667) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x0 a1=0x0 a2=0x7f0424afdd4b a3=0x0 items=0 ppid=1573 pid=1583 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_t:s0 key=(null) 
type=AVC msg=audit(05/10/2022 10:26:25.856:667) : avc:  denied  { setgid } for  pid=1583 comm=rpcd_lsad capability=setgid  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=0 
----

# rpm -qa selinux\* \*samba\* | sort
python3-samba-4.16.1-4.fc37.x86_64
python3-samba-dc-4.16.1-4.fc37.x86_64
samba-4.16.1-4.fc37.x86_64
samba-client-libs-4.16.1-4.fc37.x86_64
samba-common-4.16.1-4.fc37.noarch
samba-common-libs-4.16.1-4.fc37.x86_64
samba-common-tools-4.16.1-4.fc37.x86_64
samba-dc-libs-4.16.1-4.fc37.x86_64
samba-libs-4.16.1-4.fc37.x86_64
samba-winbind-4.16.1-4.fc37.x86_64
samba-winbind-modules-4.16.1-4.fc37.x86_64
selinux-policy-36.7-1.fc37.noarch
selinux-policy-targeted-36.7-1.fc37.noarch
#

Comment 2 Milos Malik 2022-05-10 14:33:49 UTC
Following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(05/10/2022 10:33:09.033:712) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=5 --debuglevel=0 
type=SYSCALL msg=audit(05/10/2022 10:33:09.033:712) : arch=x86_64 syscall=setgroups success=yes exit=0 a0=0x0 a1=0x0 a2=0x7f196d2fdd4b a3=0x0 items=0 ppid=1782 pid=1792 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_t:s0 key=(null) 
type=AVC msg=audit(05/10/2022 10:33:09.033:712) : avc:  denied  { setgid } for  pid=1792 comm=rpcd_lsad capability=setgid  scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=capability permissive=1 
----

Comment 3 Milos Malik 2022-05-10 15:24:06 UTC
# ls -lZ /usr/libexec/samba/
total 3408
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1428080 May  6 11:26 rpcd_classic
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0   45200 May  6 11:26 rpcd_epmapper
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0   78128 May  6 11:26 rpcd_fsrvp
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  424640 May  6 11:26 rpcd_lsad
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  128792 May  6 11:26 rpcd_mdssvc
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0   28800 May  6 11:26 rpcd_rpcecho
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  513048 May  6 11:26 rpcd_spoolss
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0   90744 May  6 11:26 rpcd_winreg
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  525528 May  6 11:26 samba-bgqd
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0  198032 May  6 11:26 samba-dcerpcd
#

The following file appears after starting the winbind service:

# ls -lZ /run/samba-dcerpcd.pid 
-rw-r--r--. 1 root root system_u:object_r:winbind_var_run_t:s0 5 May 10 11:06 /run/samba-dcerpcd.pid
#

Comment 4 Zdenek Pytela 2022-06-01 19:34:12 UTC
I've submitted a Fedora PR to address the issue. Before it is merged, scratchbuild can be used for testing:

https://github.com/fedora-selinux/selinux-policy/pull/1219
Checks -> Details -> Artifacts -> rpms

Comment 5 Zdenek Pytela 2022-06-09 09:49:34 UTC
Updated with:
https://github.com/fedora-selinux/selinux-policy/pull/1229

Comment 6 Fedora Update System 2022-06-30 07:25:41 UTC
FEDORA-2022-fd22b79a84 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84

Comment 7 Fedora Update System 2022-07-01 02:09:42 UTC
FEDORA-2022-fd22b79a84 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fd22b79a84`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2022-07-16 01:12:41 UTC
FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Dustin C. Hatch 2022-07-20 03:12:15 UTC
After applying the update, the original AVC denials are gone, but there are still a couple more:

type=AVC msg=audit(1658286623.868:2435): avc:  denied  { write } for  pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1

type=AVC msg=audit(1658286623.868:2436): avc:  denied  { open } for  pid=6219 comm="samba-dcerpcd" path="/run/samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1

type=AVC msg=audit(1658286623.868:2437): avc:  denied  { lock } for  pid=6219 comm="samba-dcerpcd" path="/run/samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1

Comment 10 Fedora Update System 2022-08-04 02:41:43 UTC
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2022-08-05 01:34:26 UTC
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Zdenek Pytela 2022-08-05 15:33:03 UTC
(In reply to Dustin C. Hatch from comment #9)
> After applying the update, the original AVC denials are gone, but there are
> still a couple more:
Thanks for reporting, but next time please create a new bz not to be overlooked.
https://github.com/fedora-selinux/selinux-policy/pull/1315


Note You need to log in before you can comment on or make changes to this bug.