30 lines
1.8 KiB
Diff
30 lines
1.8 KiB
Diff
From e9ed412d419a865d8a9a396469d1f2bda351f30d Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Fri, 17 Jun 2022 19:46:05 +0200
|
|
Subject: [PATCH] Allow winbind_rpcd_t connect to self over a
|
|
unix_stream_socket
|
|
|
|
Addresses the following AVC denial:
|
|
|
|
type=PROCTITLE msg=audit(06/13/2022 04:54:59.247:2004) : proctitle=/usr/libexec/samba/rpcd_classic --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=0 --debuglevel=10
|
|
type=AVC msg=audit(06/13/2022 04:54:59.247:2004) : avc: denied { connectto } for pid=23402 comm=rpcd_classic path=/run/samba/ncalrpc/np/winreg scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_stream_socket permissive=0
|
|
type=SYSCALL msg=audit(06/13/2022 04:54:59.247:2004) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x10 a1=0x5624dd0ca5d0 a2=0x6e a3=0x7fe7094db260 items=0 ppid=23239 pid=23402 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_classic exe=/usr/libexec/samba/rpcd_classic subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
|
|
|
|
Resolves: rhbz#2096255
|
|
---
|
|
policy/modules/contrib/samba.te | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
|
index 7087c37e7a..5e851af84a 100644
|
|
--- a/policy/modules/contrib/samba.te
|
|
+++ b/policy/modules/contrib/samba.te
|
|
@@ -1168,6 +1168,7 @@ optional_policy(`
|
|
allow winbind_rpcd_t self:capability { setgid setuid };
|
|
allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
|
|
allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow winbind_rpcd_t self:unix_stream_socket connectto;
|
|
allow winbind_rpcd_t self:udp_socket create_socket_perms;
|
|
|
|
allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
|