-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.9.0, rhel-9.3.0
-
None
-
None
-
Moderate
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
- fapolicyd does not generate AVCs for the accesses coverd by a rules referencing a user defined by the winbind backend (samba)
-
None
-
None
-
None
What were you trying to do that didn't work?
Customers using fapolicyd with rules making use of users or groups see AVCs when the users or groups are in a winbind backend.
See also PR 16 - Allow fapolicyd to connect to Winbind for user/group resolution
Please provide the package NVR for which bug is seen:
all fapolicyd releases
How reproducible:
Always
Steps to reproduce
- Add a rule to fapolicyd relying on a user field with user in winbind backend
allow perm=any uid=satellite-automation : ftype=text/x-python trust=0
Expected results
No AVC seen
Actual results
AVCs:
[...] avc: denied { getattr } for pid=1483617 comm=fapolicyd path=/run/samba/winbindd/pipe dev="tmpfs" ino=19851553 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file
[...] avc: denied { connectto } for pid=1483617 comm=fapolicyd path=/run/samba/winbindd/pipe scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=unix_stream_socket
[...] avc: denied { write } for pid=1483617 comm=fapolicyd name=pipe dev="tmpfs" ino=19851553 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file
- links to
