Open anoopcs9 opened 6 days ago
@anoopcs9 Which services can execute both the /usr/libexec/samba/rpcd_lsadand /usr/libexec/samba/samba-dcerpcd executables?
@anoopcs9 Which services can execute both the /usr/libexec/samba/rpcd_lsadand /usr/libexec/samba/samba-dcerpcd executables?
I'll try to answer it differently. Let me know if more clarification is needed.
/usr/libexec/samba/samba-dcerpcd has two modes(see NEW FEATURES/CHANGES from v4.16.0 release notes):
/usr/libexec/samba/rpcd_* binaries are helper programs for samba-dcerpcd.
Does that make sense?
With /usr/libexec/samba/rpcd_* binaries designed as helper programs for samba-dcerpcd which can further be invoked by more than one daemon(or standalone), IMO should we rethink on having a winbind specific context type for samba-dcerpcd and friends? We could even revert https://github.com/fedora-selinux/selinux-policy/commit/7367896085db099d956d666b94601fa9fc9df92a altogether?
Pre-defined policies for _winbind_rpcdt type added via commit 7367896085 failed to consider a clustered samba setup where communication between nodes is handled by ctdb. As a result SMB clients(smbclient, Windows and so on) are unable to browse the services available from such a cluster where samba-dcerpcd is invoked on demand by smbd. See below for related AVC denial entries during an attempt to list the services:
Therefore we leave samba-dcerpcd installed under /usr/libexec/samba with its fhs based default context type(_bint) which should allow ctdb interaction in a configuration where samba is clustered.
fixes #2196