Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-21777

fapolicyd cannot resolve users and groups through winbind

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • rhel-security-special-projects
    • ssg_security
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
      • fapolicyd does not generate AVCs for the accesses coverd by a rules referencing a user defined by the winbind backend (samba)
    • Pass
    • Automated
    • Bug Fix
    • Hide
      .`fapolicyd` no longer fails to identify user accounts from a network source

      Before this update, due to an incorrect security policy configuration, the `fapolicyd` service did not correctly identify users from a network source, which caused errors. This update fixes the security policy to allow the necessary communication. As a result, you can use `fapolicyd` with rules that require a network connection to identify users.
      Show
      .`fapolicyd` no longer fails to identify user accounts from a network source Before this update, due to an incorrect security policy configuration, the `fapolicyd` service did not correctly identify users from a network source, which caused errors. This update fixes the security policy to allow the necessary communication. As a result, you can use `fapolicyd` with rules that require a network connection to identify users.
    • Rejected
    • Done
    • Done
    • None

      What were you trying to do that didn't work?

      Customers using fapolicyd with rules making use of users or groups see AVCs when the users or groups are in a winbind backend.

      See also PR 16 - Allow fapolicyd to connect to Winbind for user/group resolution

      Please provide the package NVR for which bug is seen:

      all fapolicyd releases

      How reproducible:

      Always

      Steps to reproduce

      1.  Add a rule to fapolicyd relying on a user field with user in winbind backend 
        allow perm=any uid=satellite-automation : ftype=text/x-python trust=0

      Expected results

      No AVC seen

      Actual results

      AVCs:

      [...] avc:  denied  { getattr } for  pid=1483617 comm=fapolicyd path=/run/samba/winbindd/pipe dev="tmpfs" ino=19851553 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file
[...] avc:  denied  { connectto } for  pid=1483617 comm=fapolicyd path=/run/samba/winbindd/pipe scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=unix_stream_socket
[...] avc:  denied  { write } for  pid=1483617 comm=fapolicyd name=pipe dev="tmpfs" ino=19851553 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file

              rsroka@redhat.com Radovan Sroka (Inactive)
              rhn-support-rmetrich Renaud Métrich
              Radovan Sroka Radovan Sroka (Inactive)
              Natália Bubáková Natália Bubáková
              Zuzana Fantini Zoubkova Zuzana Fantini Zoubkova
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: