Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2092808 - selinux-policy prevents 30-winbind from invoking smbcontrol and testparam
Summary: selinux-policy prevents 30-winbind from invoking smbcontrol and testparam
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-02 10:05 UTC by Raphael Kubo da Costa
Modified: 2022-08-05 01:34 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-36.13-3.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-05 01:34:34 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1230 0 None open Allow nm-dispatcher custom plugin create and use unix dgram socket 2022-06-10 19:29:37 UTC
Github fedora-selinux selinux-policy pull 1275 0 None open Allow nm-dispatcher winbind plugin read samba config files 2022-07-13 15:14:06 UTC

Description Raphael Kubo da Costa 2022-06-02 10:05:19 UTC
I'm using selinux-policy 36.10-1.fc36 here (which includes some NetworkManager fixes), but /usr/lib/NetworkManager/dispatcher.d/30-winbind still fails to work correctly:

* My /etc/samba/smb.conf has "winbind use default domain = yes", but the call to testparam just returns an empty string instead of "Yes" and causes the script to exit early.
* If I comment out the testparam block, I get audit errors:

audit[9457]: AVC avc:  denied  { execute } for  pid=9457 comm="30-winbind" name="smbcontrol" dev="dm-1" ino=1466353 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0
audit[9457]: AVC avc:  denied  { getattr } for  pid=9457 comm="30-winbind" path="/usr/bin/smbcontrol" dev="dm-1" ino=1466353 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0
audit[9457]: AVC avc:  denied  { getattr } for  pid=9457 comm="30-winbind" path="/usr/bin/smbcontrol" dev="dm-1" ino=1466353 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0

Comment 1 Zdenek Pytela 2022-06-02 10:18:26 UTC
Thanks for the details, I'll try to address it soon.

Comment 2 Ivan Ganev 2022-06-02 19:51:55 UTC
Our business VPN setup also has a need to run /usr/bin/kinit, /usr/bin/wbinfo, /usr/bin/nsupdate from NetworkManager dispatcher scripts to register a newly started VPN tunnel with the DNS of the remote organization. Those binaries also get hit by the newly restrictive SELinux environment:


May 24 17:04:52 ibganev-desk.amr.corp.intel.com audit[82523]: AVC avc:  denied  { getattr } for  pid=82523 comm="kinit" path="/etc/krb5.conf" dev="dm-0" ino=12452229 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0
May 24 17:04:52 ibganev-desk.amr.corp.intel.com audit[82506]: AVC avc:  denied  { getattr } for  pid=82506 comm="sh" path="/usr/bin/smbcontrol" dev="dm-0" ino=5651000 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0
May 24 17:04:53 ibganev-desk.amr.corp.intel.com audit[82749]: AVC avc:  denied  { getattr } for  pid=82749 comm="wbinfo" path="/run/samba/winbindd/pipe" dev="tmpfs" ino=1995 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file permissive=0
May 24 17:57:29 ibganev-desk.amr.corp.intel.com audit[89569]: AVC avc:  denied  { read } for  pid=89569 comm="kinit" name="krb5.conf" dev="dm-0" ino=12452229 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0
May 24 17:57:29 ibganev-desk.amr.corp.intel.com audit[89556]: AVC avc:  denied  { execute } for  pid=89556 comm="sh" name="smbcontrol" dev="dm-0" ino=5651000 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0
May 24 17:57:29 ibganev-desk.amr.corp.intel.com audit[89556]: AVC avc:  denied  { read } for  pid=89556 comm="sh" name="smbcontrol" dev="dm-0" ino=5651000 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file permissive=0
May 24 17:57:30 ibganev-desk.amr.corp.intel.com audit[89827]: AVC avc:  denied  { write } for  pid=89827 comm="wbinfo" name="pipe" dev="tmpfs" ino=1995 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file permissive=0


May 31 08:29:50 ibganev-desk.amr.corp.intel.com audit[3812]: AVC avc:  denied  { open } for  pid=3812 comm="kinit" path="/etc/krb5.conf" dev="dm-0" ino=12452229 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=fi
le permissive=0
May 31 08:29:50 ibganev-desk.amr.corp.intel.com audit[3819]: AVC avc:  denied  { open } for  pid=3819 comm="sh" path="/usr/bin/smbcontrol" dev="dm-0" ino=5651000 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tc
lass=file permissive=0
May 31 08:29:51 ibganev-desk.amr.corp.intel.com audit[4038]: AVC avc:  denied  { connectto } for  pid=4038 comm="wbinfo" path="/run/samba/winbindd/pipe" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=unix_stream_

Comment 3 Fedora Update System 2022-06-30 07:25:47 UTC
FEDORA-2022-fd22b79a84 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84

Comment 4 Fedora Update System 2022-07-01 02:09:47 UTC
FEDORA-2022-fd22b79a84 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fd22b79a84`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Raphael Kubo da Costa 2022-07-08 09:32:02 UTC
Trying to bring the discussion in https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84 back here.

What I said there was
> This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.

Zdenek said
> @rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.

I did mention in the bug report here that "My /etc/samba/smb.conf has "winbind use default domain = yes", but the call to testparam just returns an empty string instead of "Yes" and causes the script to exit early". This is still the case, but there are no AVC denials or anything I can see with journalctl, the program just seems to output nothing.

Is there a way to debug this, or temporarily make 30-winbind output something somewhere? Calling logger triggers an AVC denial, and using echo just outputs nothing to the logs.

Comment 6 Zdenek Pytela 2022-07-08 12:17:08 UTC
(In reply to Raphael Kubo da Costa from comment #5)
> Is there a way to debug this, or temporarily make 30-winbind output
> something somewhere? Calling logger triggers an AVC denial, and using echo
> just outputs nothing to the logs.

If the issue does not appear in the system permissive mode, it can be an effect of dontaudit rules which can be removed temporarily:

semodule -DB
<reproduce>
semodule -B
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

Bash debugging can be turned on e. g. with
set +x
at the script beginning.

Comment 7 Raphael Kubo da Costa 2022-07-12 13:08:02 UTC
Thanks. With `semodule -DB`, I still wasn't able to log anything with echo or logger, and `set +x` didn't have any effect, but I could see a lot of AVCs being logged for all NetworkManager dispatcher scripts. Relevant excerpt:

jul 12 15:01:02 SOME-HOST nm-dispatcher[140489]: req:4 'up' [vpn0], "/usr/lib/NetworkManager/dispatcher.d/30-winbind": run script
jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc:  denied  { noatsecure } for  pid=140518 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=process permissive=0
jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc:  denied  { read write } for  pid=140518 comm="30-winbind" path="socket:[1140270]" dev="sockfs" ino=1140270 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc:  denied  { read write } for  pid=140518 comm="30-winbind" path="socket:[1140270]" dev="sockfs" ino=1140270 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc:  denied  { rlimitinh } for  pid=140518 comm="30-winbind" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=process permissive=0
jul 12 15:01:02 SOME-HOST audit[140518]: AVC avc:  denied  { siginh } for  pid=140518 comm="30-winbind" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=process permissive=0
jul 12 15:01:02 SOME-HOST audit[140519]: AVC avc:  denied  { net_admin } for  pid=140519 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=capability permissive=0
jul 12 15:01:02 SOME-HOST audit[140519]: AVC avc:  denied  { net_admin } for  pid=140519 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=capability permissive=0
jul 12 15:01:02 SOME-HOST audit[140521]: AVC avc:  denied  { search } for  pid=140521 comm="testparm" name="samba" dev="dm-1" ino=1704052 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir permissive=0
jul 12 15:01:02 SOME-HOST audit[140521]: AVC avc:  denied  { search } for  pid=140521 comm="testparm" name="samba" dev="dm-1" ino=1704052 scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir permissive=0
jul 12 15:01:02 SOME-HOST audit[140522]: AVC avc:  denied  { net_admin } for  pid=140522 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=capability permissive=0
jul 12 15:01:02 SOME-HOST audit[140522]: AVC avc:  denied  { net_admin } for  pid=140522 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tclass=capability permissive=0
jul 12 15:01:02 SOME-HOST audit[140523]: AVC avc:  denied  { noatsecure } for  pid=140523 comm="30-winbind" scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:smbcontrol_t:s0 tclass=process permissive=0
jul 12 15:01:02 SOME-HOST audit[140523]: AVC avc:  denied  { rlimitinh } for  pid=140523 comm="smbcontrol" scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:smbcontrol_t:s0 tclass=process permissive=0
jul 12 15:01:02 SOME-HOST audit[140523]: AVC avc:  denied  { siginh } for  pid=140523 comm="smbcontrol" scontext=system_u:system_r:NetworkManager_dispatcher_winbind_t:s0 tcontext=system_u:system_r:smbcontrol_t:s0 tclass=process permissive=0
jul 12 15:01:03 SOME-HOST nm-dispatcher[140489]: req:4 'up' [vpn0], "/usr/lib/NetworkManager/dispatcher.d/30-winbind": complete

Comment 8 Fedora Update System 2022-07-15 14:42:13 UTC
FEDORA-2022-320775eb9a has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a

Comment 9 Fedora Update System 2022-07-16 01:12:46 UTC
FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-08-04 02:41:49 UTC
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2022-08-05 01:34:34 UTC
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.