Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • Moderate
    • rhel-security-selinux
    • ssg_security
    • 11
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None
    • 57,005

      Description of problem:

      On RHEL8, SELinux denies to process samba-dceprcd during connection to LDAP server.

      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      type=AVC msg=audit(1693385544.691:838): avc: denied

      { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0
      ----
      type=AVC msg=audit(1693385545.693:839): avc: denied { name_connect }

      for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0

      type=AVC msg=audit(1693385546.701:840): avc: denied

      { name_connect }

      for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0
      ...

      setroubleshoot[6462]: SELinux is preventing /usr/libexec/samba/samba-dcerpcd from name_connect access on the tcp_socket port 636.

              • Plugin catchall (100. confidence) suggests **************************
                If you believe that samba-dcerpcd should be allowed name_connect access on the port 636 tcp_socket by default.

      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:

      1. ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd
      2. semodule -X 300 -i my-sambadcerpcd.pp
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      1. ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-pol
      2. cat my-pol.te

      module my-pol 1.0;

      require {
      type winbind_rpcd_t;
      type ldap_port_t;
      class tcp_socket name_connect;
      }

      #============= winbind_rpcd_t ==============

      #!!!! This avc is allowed in the current policy
      allow winbind_rpcd_t ldap_port_t:tcp_socket name_connect;

      Version-Release number of selected component (if applicable):

      Red Hat Enterprise Linux 8
      samba-4.17.5-3.el8_8
      selinux-policy-targeted-3.14.3-108.el8

      How reproducible:

      Always

      Steps to Reproduce:

      1. As per https://access.redhat.com/solutions/337073, setup samba to use a ldap server.

      passdb backend = ldapsam:ldap://rhds.ad.example.com

      2. Start winbind.service

      1. systemctl start winbind

      3. Look at journal log and audit log

      Actual results:

      samba services cannot connect to the LDAP server.

              rhn-support-zpytela Zdenek Pytela
              rhn-support-kyoneyam Kazushige Yoneyama
              Zdenek Pytela Zdenek Pytela
              Amith Kumar Peethambaran Amith Kumar Peethambaran
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: