search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
162 stars 162 forks source link

With latest C8/RHEL8, I now need allow winbind_t winbind_exec_t:file execute_no_trans #550

Open paulraines68 opened 3 years ago

paulraines68 commented 3 years ago

I my samba config I have

idmap config MYDOMAIN : script = /etc/samba/idmap_script.sh

In the past this just required

semanage fcontext -a -t winbind_exec_t /etc/samba/idmap_script.sh

However, I am getting permission denied failures now with calling of the script. It works with SELINUX disabled. The audit log has

type=AVC msg=audit(1611357144.362:11289): avc:  denied  { execute_no_trans } for  pid=298160 comm="winbindd" path="/etc/samba/idmap_script.sh" dev="nvme0n1p5" ino=2098041 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:winbind_exec_t:s0 tclass=file permissive=1

which means I need

allow winbind_t winbind_exec_t:file execute_no_trans;

Am I missing something or is this something that should be added to default selinux-policy files now?

I have CentOS 8.2.2004 with samba 4.11.2-13 and selinux-policy 3.14.3-41

ghost commented 3 years ago

Paul Raines notifications@github.com writes:

I my samba config I have

idmap config MYDOMAIN : script = /etc/samba/idmap_script.sh

In the past this just required

semanage fcontext -a -t winbind_exec_t /etc/samba/idmap_script.sh

Looking at the history of that module I cannot identify that ever being allowed. Nevertheless , accorcing to the policy you should be able to use type bin_t instead:

remove existing spec

semanage fcontext -d -t winbind_exec_t /etc/samba/idmap_script.sh

add new spec

semanage fcontext -d -t bin_t "/etc/samba/idmap_script.sh"

reset

restorecon -vF /etc/samba/idmap_script.sh

That should address the issue

However, I am getting permission denied failures now with calling of the script. It works with SELINUX disabled. The audit log has

type=AVC msg=audit(1611357144.362:11289): avc: denied { execute_no_trans } for pid=298160 comm="winbindd" path="/etc/samba/idmap_script.sh" dev="nvme0n1p5" ino=2098041 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:winbind_exec_t:s0 tclass=file permissive=1

which means I need

allow winbind_t winbind_exec_t:file execute_no_trans;

Am I missing something or is this something that should be added to default selinux-policy files now?

I have CentOS 8.2.2004 with samba 4.11.2-13 and selinux-policy 3.14.3-41

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

-- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift

ghost commented 3 years ago

Dominick Grift dominick.grift@defensec.nl writes:

Paul Raines notifications@github.com writes:

I my samba config I have

idmap config MYDOMAIN : script = /etc/samba/idmap_script.sh

In the past this just required

semanage fcontext -a -t winbind_exec_t /etc/samba/idmap_script.sh

Looking at the history of that module I cannot identify that ever being allowed. Nevertheless , accorcing to the policy you should be able to use type bin_t instead:

remove existing spec

semanage fcontext -d -t winbind_exec_t /etc/samba/idmap_script.sh

add new spec

semanage fcontext -d -t bin_t "/etc/samba/idmap_script.sh"

err, make that: semanage fcontext -a -t bin_t "/etc/samba/idmap_script.sh"

reset

restorecon -vF /etc/samba/idmap_script.sh

That should address the issue

However, I am getting permission denied failures now with calling of the script. It works with SELINUX disabled. The audit log has

type=AVC msg=audit(1611357144.362:11289): avc: denied { execute_no_trans } for pid=298160 comm="winbindd" path="/etc/samba/idmap_script.sh" dev="nvme0n1p5" ino=2098041 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:winbind_exec_t:s0 tclass=file permissive=1

which means I need

allow winbind_t winbind_exec_t:file execute_no_trans;

Am I missing something or is this something that should be added to default selinux-policy files now?

I have CentOS 8.2.2004 with samba 4.11.2-13 and selinux-policy 3.14.3-41

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

-- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift

ghost commented 3 years ago

I received a similar report from another Centos8 user on IRC but in his case for shorewall. I think some policy bug did creep in rhel8 where the execute_no_trans permission was removed from some permission set, pattern or otherwise lower level macro.

So now it seems that callers of that macro blow up all over the place because they relied on "execute_no_trans"

I couldnt quite find that change in this repository though so maybe its rhel8 specific (not sure where those sources are hosted). Probably best to file bug report using the appropriate channels

ghost commented 3 years ago

never mind that was a slightly different issue...