Open anoopcs9 opened 1 week ago
In a clustered Samba setup, /usr/libexec/samba/samba-dcerpcd when invoked on demand to list the services available from a server fails to operate with CTDB generating the following AVC denial entries in audit logs:
type=AVC msg=audit(1719320611.316:194102): avc: denied { write } for pid=2811143 comm="samba-dcerpcd" name="ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1719320611.316:194102): avc: denied { connectto } for pid=2811143 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1719320611.316:194102): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7ffdb72d1718 a2=6e a3=556b3d35dad0 items=0 ppid=2811142 pid=2811143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=connect AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=AVC msg=audit(1719320611.330:194103): avc: denied { getattr } for pid=2811144 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1 type=SYSCALL msg=audit(1719320611.330:194103): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7fe986cb8000 a2=7ffdb72d1580 a3=0 items=0 ppid=1 pid=2811144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=AVC msg=audit(1719320611.332:194104): avc: denied { map } for pid=2811144 comm="samba-dcerpcd" path="/var/lib/ctdb/persistent/secrets.tdb.0" dev="dm-0" ino=202466688 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1719320611.332:194104): arch=c000003e syscall=9 success=yes exit=140640883048448 a0=0 a1=20c000 a2=3 a3=1 items=0 ppid=1 pid=2811144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1719320611.316:194102): avc: denied { write } for pid=2811143 comm="samba-dcerpcd" name="ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1719320611.316:194102): avc: denied { connectto } for pid=2811143 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1719320611.316:194102): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7ffdb72d1718 a2=6e a3=556b3d35dad0 items=0 ppid=2811142 pid=2811143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=connect AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1719320611.330:194103): avc: denied { getattr } for pid=2811144 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1 type=SYSCALL msg=audit(1719320611.330:194103): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7fe986cb8000 a2=7ffdb72d1580 a3=0 items=0 ppid=1 pid=2811144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1719320611.332:194104): avc: denied { map } for pid=2811144 comm="samba-dcerpcd" path="/var/lib/ctdb/persistent/secrets.tdb.0" dev="dm-0" ino=202466688 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1719320611.332:194104): arch=c000003e syscall=9 success=yes exit=140640883048448 a0=0 a1=20c000 a2=3 a3=1 items=0 ppid=1 pid=2811144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
It is always reproducible in a traditional Samba-CTDB cluster using the command smbclient -N -L <server>.
smbclient -N -L <server>
In a clustered Samba setup, /usr/libexec/samba/samba-dcerpcd when invoked on demand to list the services available from a server fails to operate with CTDB generating the following AVC denial entries in audit logs:
It is always reproducible in a traditional Samba-CTDB cluster using the command
smbclient -N -L <server>.