-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.4
-
selinux-policy-38.1.42-1.el9
-
None
-
None
-
1
-
sst_security_selinux
-
ssg_security
-
22
-
None
-
False
-
-
No
-
CY24Q2
-
Unspecified Release Note Type - Unknown
-
None
There is a new feature in Samba for Certificate Auto Enrollment (RHEL-2109). For this we need SELinux coverage. The tool /usr/sbin/samba-gpupdate is not labeled yet and can be executed manually or by Samba's winbind.
So we might need to first label it and then run it. Currently, samba-gpupdate runs certmonger tools like `getcert`. And executes cepces-submit. Certmonger then tries to store certificates in the /var/lib/samba/certs or /var/lib/samba/private/certs directly, this can be seen below:
type=AVC msg=audit(1708006790.874:249): avc: denied { read write } for pid=1934 comm="certmonger" name="certs" dev="sda3" ino=495966 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1708006791.486:250): avc: denied { open } for pid=2713 comm="cepces-submit" path="/var/log/cepces/cepces.log" dev="sda3" ino=555610 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(1708006794.982:251): avc: denied { add_name } for pid=2799 comm="certmonger" name="EARTH-ROOT-CA.Machine.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1708006794.983:252): avc: denied { create } for pid=2799 comm="certmonger" name="EARTH-ROOT-CA.Machine.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file permissive=1
- blocks
-
RHEL-2109 [RHEL9] [RFE] Support Certificate Auto Enrollment in Samba
- Release Pending
- is related to
-
RHEL-59778 Package certs directories in samba-common for gpupdate
- Integration
- links to
-
RHBA-2024:130707 selinux-policy bug fix and enhancement update