selinux-policy/backport-Allow-samba-dcerpcd-work-with-sssd.patch

From 88a28fc843a9e3a0039647d0b6fdd5ac7895a286 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 21 Jun 2022 16:02:49 +0200
Subject: [PATCH] Allow samba-dcerpcd work with sssd

Addresses the following AVC denials:

type=AVC msg=audit(1655206265.325:3211): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655206265.325:3214): avc:  denied  { connectto } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1655206265.325:3214): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="nss" dev="vda3" ino=17045861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1

Resolves: rhbz#2096825
---
 policy/modules/contrib/samba.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 5e851af84a..091e016fd0 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1215,6 +1215,11 @@ optional_policy(`
 	logging_send_syslog_msg(winbind_rpcd_t)
 ')
 
+optional_policy(`
+	sssd_read_public_files(winbind_rpcd_t)
+	sssd_stream_connect(winbind_rpcd_t)
+')
+
 optional_policy(`
 	sysnet_read_config(winbind_rpcd_t)
 ')