search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Allow samba-dcerpcd to operate with ctdb #2198

Open anoopcs9 opened 6 days ago

anoopcs9 commented 6 days ago

Pre-defined policies for _winbind_rpcdt type added via commit 7367896085 failed to consider a clustered samba setup where communication between nodes is handled by ctdb. As a result SMB clients(smbclient, Windows and so on) are unable to browse the services available from such a cluster where samba-dcerpcd is invoked on demand by smbd. See below for related AVC denial entries during an attempt to list the services:

type=AVC msg=audit(1719320611.316:194102): avc: denied { write } for pid=2811143 comm="samba-dcerpcd" name="ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1

type=AVC msg=audit(1719320611.316:194102): avc: denied { connectto } for pid=2811143 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1

type=AVC msg=audit(1719320611.330:194103): avc: denied { getattr } for pid=2811144 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1

type=AVC msg=audit(1719320611.332:194104): avc: denied { map } for pid=2811144 comm="samba-dcerpcd" path="/var/lib/ctdb/persistent/secrets.tdb.0" dev="dm-0" ino=202466688 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1

Therefore we leave samba-dcerpcd installed under /usr/libexec/samba with its fhs based default context type(_bint) which should allow ctdb interaction in a configuration where samba is clustered.

fixes #2196

zpytela commented 5 days ago

@anoopcs9 Which services can execute both the /usr/libexec/samba/rpcd_lsadand /usr/libexec/samba/samba-dcerpcd executables?

anoopcs9 commented 5 days ago

@anoopcs9 Which services can execute both the /usr/libexec/samba/rpcd_lsadand /usr/libexec/samba/samba-dcerpcd executables?

I'll try to answer it differently. Let me know if more clarification is needed.

/usr/libexec/samba/samba-dcerpcd has two modes(see NEW FEATURES/CHANGES from v4.16.0 release notes):

/usr/libexec/samba/rpcd_* binaries are helper programs for samba-dcerpcd.

Does that make sense?

anoopcs9 commented 4 days ago

With /usr/libexec/samba/rpcd_* binaries designed as helper programs for samba-dcerpcd which can further be invoked by more than one daemon(or standalone), IMO should we rethink on having a winbind specific context type for samba-dcerpcd and friends? We could even revert https://github.com/fedora-selinux/selinux-policy/commit/7367896085db099d956d666b94601fa9fc9df92a altogether?