Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-25724

Add support for samba-gpupdate [SELinux]

    • selinux-policy-38.1.42-1.el9
    • None
    • None
    • 1
    • sst_security_selinux
    • ssg_security
    • 22
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • CY24Q2
    • Hide

      SELinux policy confines the samba-gpupdate program. The samba-gpupdate program runs in default configuration without triggering SELinux denials.

      Show
      SELinux policy confines the samba-gpupdate program. The samba-gpupdate program runs in default configuration without triggering SELinux denials.
    • Pass
    • None
    • Unspecified Release Note Type - Unknown
    • None

      There is a new feature in Samba for Certificate Auto Enrollment (RHEL-2109). For this we need SELinux coverage. The tool /usr/sbin/samba-gpupdate is not labeled yet and can be executed manually or by Samba's winbind.

      So we might need to first label it and then run it. Currently, samba-gpupdate runs certmonger tools like `getcert`. And executes cepces-submit. Certmonger then tries to store certificates in the /var/lib/samba/certs or /var/lib/samba/private/certs directly, this can be seen below:

      type=AVC msg=audit(1708006790.874:249): avc:  denied  { read write } for  pid=1934 comm="certmonger" name="certs" dev="sda3" ino=495966 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=dir permissive=1
      type=AVC msg=audit(1708006791.486:250): avc:  denied  { open } for  pid=2713 comm="cepces-submit" path="/var/log/cepces/cepces.log" dev="sda3" ino=555610 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1708006794.982:251): avc:  denied  { add_name } for  pid=2799 comm="certmonger" name="EARTH-ROOT-CA.Machine.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=dir permissive=1
      type=AVC msg=audit(1708006794.983:252): avc:  denied  { create } for  pid=2799 comm="certmonger" name="EARTH-ROOT-CA.Machine.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file permissive=1
      

            rhn-support-zpytela Zdenek Pytela
            anschnei@redhat.com Andreas Schneider
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: