Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-23450

Samba's NetworkManager dispatcher script is not allowed to check service status

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-8.2.0.z
    • selinux-policy
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      Samba has a NetworkManager Dispatcher Script to tell the winbind service we are offline or online. This is needed for winbind offline authentication support. The script checks the status of the service via systemd.

      You can find the script here:
      https://gitlab.com/samba-team/samba/-/blob/master/packaging/NetworkManager/30-winbind-systemd?ref_type=heads

      This seems to be denied in RHEL 8.2 [osci.brew-build.installability.functional]
      https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/58417080

      ----
type=USER_AVC msg=audit(01/30/2024 23:55:28.188:3772) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/winbind.service cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:samba_unit_file_t:s0 tclass=service permissive=0  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
BAD remove: samba-winbind-krb5-locator-0:4.11.2-23.el8_2.x86_64 (selinux AVCs)
----
type=USER_AVC msg=audit(01/30/2024 23:55:28.188:3772) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/winbind.service cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:samba_unit_file_t:s0 tclass=service permissive=0  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
BAD remove: samba-winbind-krb5-locator-debuginfo-0:4.11.2-23.el8_2.x86_64 (selinux AVCs)
----
type=USER_AVC msg=audit(01/30/2024 23:55:28.188:3772) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/winbind.service cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:samba_unit_file_t:s0 tclass=service permissive=0  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
BAD remove: samba-winbind-modules-0:4.11.2-23.el8_2.x86_64 (selinux AVCs)
----
type=USER_AVC msg=audit(01/30/2024 23:55:28.188:3772) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/winbind.service cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:samba_unit_file_t:s0 tclass=service permissive=0  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
BAD remove: samba-winbind-modules-debuginfo-0:4.11.2-23.el8_2.x86_64 (selinux AVCs)
----
type=USER_AVC msg=audit(01/30/2024 23:55:28.188:3772) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/winbind.service cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:samba_unit_file_t:s0 tclass=service permissive=0  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'

              rhn-support-zpytela Zdenek Pytela
              anschnei@redhat.com Andreas Schneider
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: