BugZero | Red Hat BugID RHEL-1831 - SELinux denies to process samba-dceprcd during con...

Red Hat - Defect ID: RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Red Hat - Defect ID: RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Last updated on 9/23/2024

Overall: 5.15.1

Severity: 5.55.5

Community: 66.0

Lifecycle: 6.46.4

What is the BugZero Risk Score?

Vendor details

Priority: Normal
Status: Closed
Impact Category: selinux-policy

Overall: 5.15.1

Severity: 5.55.5

Community: 66.0

Lifecycle: 6.46.4

What is the BugZero Risk Score?

Vendor details

Priority: Normal
Status: Closed
Impact Category: selinux-policy

Issue

Description of problem: On RHEL8, SELinux denies to process samba-dceprcd during connection to LDAP server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ type=AVC msg=audit(1693385544.691:838): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 ---- type=AVC msg=audit(1693385545.693:839): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1693385546.701:840): avc: denied { name_connect } for pid=6591 comm="samba-dcerpcd" dest=636 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 ... setroubleshoot[6462]: SELinux is preventing /usr/libexec/samba/samba-dcerpcd from name_connect access on the tcp_socket port 636. Plugin catchall (100. confidence) suggests ************************** If you believe that samba-dcerpcd should be allowed name_connect access on the port 636 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd semodule -X 300 -i my-sambadcerpcd.pp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-pol cat my-pol.te module my-pol 1.0; require { type winbind_rpcd_t; type ldap_port_t; class tcp_socket name_connect; } #============= winbind_rpcd_t ============== #!!!! This avc is allowed in the current policy allow winbind_rpcd_t ldap_port_t:tcp_socket name_connect; Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 8 samba-4.17.5-3.el8_8 selinux-policy-targeted-3.14.3-108.el8 How reproducible: Always Steps to Reproduce: 1. As per https://access.redhat.com/solutions/337073, setup samba to use a ldap server. passdb backend = ldapsam:ldap://rhds.ad.example.com 2. Start winbind.service systemctl start winbind 3. Look at journal log and audit log Actual results: samba services cannot connect to the LDAP server.

Release Notes

No. of Comments

Resolution

Duplicate

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Red Hat - Defect ID: RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Red Hat - Defect ID: RHEL-1831

SELinux denies to process samba-dceprcd during connection to LDAP server.

Last updated on 9/23/2024

Vendor details

Vendor details

Description

Issue

Release Notes

No. of Comments

Resolution

Links

Top Red Hat defects by risk score

Ready to prevent the next vendor outage?