BugZero | Red Hat BugID RHEL-1831 - SELinux denies to process samba-dceprcd during con...

Red Hat - Defect ID: RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Red Hat - Defect ID: RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Last updated on September 23rd, 2024

BugZero Risk Score
5.0 Medium

Overall: 5.0

Severity: 5.5

Community: 5.1

Lifecycle: 9.1

What is the BugZero Risk Score?

Red Hat Integration

Learn more about where this data comes from

Red Hat Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Normal
Status: Closed
Impact Category: selinux-policy
Views: 26

Description

Issue

Description of problem: On RHEL8, SELinux denies to process samba-dceprcd during connection to LDAP server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ type=AVC msg=audit(1693385544.691:838): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 ---- type=AVC msg=audit(1693385545.693:839): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1693385546.701:840): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 ... setroubleshoot[6462]: SELinux is preventing /usr/libexec/samba/samba-dcerpcd from name_connect access on the tcp_socket port 636. Plugin catchall (100. confidence) suggests ************************** If you believe that samba-dcerpcd should be allowed name_connect access on the port 636 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd semodule -X 300 -i my-sambadcerpcd.pp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-pol cat my-pol.te module my-pol 1.0; require { type winbind_rpcd_t; type ldap_port_t; class tcp_socket name_connect; } #============= winbind_rpcd_t ============== #!!!! This avc is allowed in the current policy allow winbind_rpcd_t ldap_port_t:tcp_socket name_connect; Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 8 samba-4.17.5-3.el8_8 selinux-policy-targeted-3.14.3-108.el8 How reproducible: Always Steps to Reproduce: 1. As per https://access.redhat.com/solutions/337073, setup samba to use a ldap server. passdb backend = ldapsam:ldap://rhds.ad.example.com 2. Start winbind.service systemctl start winbind 3. Look at journal log and audit log Actual results: samba services cannot connect to the LDAP server.

Release Notes

No. of Comments

Resolution

Duplicate

Relevant Products

Click on a version to see all relevant bugs

Affected versions:8.8.0

Fixed versions: 8.10

Relevant Products

Click on a version to see all relevant bugs

Affected versions:8.8.0

Fixed versions: 8.10

Top Red Hat Defects

9.2Defect ID: RHEL-131697
Live migration after workload update fails with operation failed: guest CPU doesn't match specification: missing features: pdcm
9.2Defect ID: RHEL-103384
[virtio-win][WHQL][GPU] 'DXGI Gamma Ramps' couldn't be filtered
9.2Defect ID: RHEL-92633
ksh reports /usr/bin/ksh as "$0" instead of script name, when script executes under sudo + checksum verification
9.0Defect ID: RHEL-137274
supplier general protection fault ip:7fcf33d78b10 sp:7fceba137058 error:0 in libslapd.so.0.1.0 when reinit the consumer
7.6Defect ID: RHEL-115990
RFE: Set boot order for guests in -o kubevirt output mode [rhel-10.2]

Ready to prevent the next vendor outage?

Get a demo

Red Hat - Defect ID: RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Red Hat - Defect ID: RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Last updated on September 23rd, 2024

BugZero Risk Score5.0 Medium

Bug Details

Issue

Release Notes

No. of Comments

Resolution

Top Red Hat Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
5.0 Medium