OPERATIONAL DEFECT DATABASE
...
...
Description of problem: On RHEL8, SELinux denies to process samba-dceprcd during connection to LDAP server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ type=AVC msg=audit(1693385544.691:838): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 ---- type=AVC msg=audit(1693385545.693:839): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1693385546.701:840): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 ... setroubleshoot[6462]: SELinux is preventing /usr/libexec/samba/samba-dcerpcd from name_connect access on the tcp_socket port 636. Plugin catchall (100. confidence) suggests ************************** If you believe that samba-dcerpcd should be allowed name_connect access on the port 636 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd semodule -X 300 -i my-sambadcerpcd.pp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-pol cat my-pol.te module my-pol 1.0; require { type winbind_rpcd_t; type ldap_port_t; class tcp_socket name_connect; } #============= winbind_rpcd_t ============== #!!!! This avc is allowed in the current policy allow winbind_rpcd_t ldap_port_t:tcp_socket name_connect; Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 8 samba-4.17.5-3.el8_8 selinux-policy-targeted-3.14.3-108.el8 How reproducible: Always Steps to Reproduce: 1. As per https://access.redhat.com/solutions/337073, setup samba to use a ldap server. passdb backend = ldapsam:ldap://rhds.ad.example.com 2. Start winbind.service systemctl start winbind 3. Look at journal log and audit log Actual results: samba services cannot connect to the LDAP server.
Duplicate
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
