samba - Apr 2020 - Samba 4.12 SELinux context /var/run

Hi, since 4.12 Samba SELinux context for /var/run/samba is not correct 
anymore:

```
root at files:~ # ls -la -Z /var/run/samba/
total 12
drwxr-xr-x.  5 root root system_u:object_r:var_run_t:s0  160 Apr  3 
20:42 .
drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr  3 
18:39 ..
drwxr-xr-x.  3 root root system_u:object_r:var_run_t:s0   60 Apr  3 
18:39 ncalrpc
drwxr-xr-x.  2 root root system_u:object_r:var_run_t:s0   60 Apr  3 
18:39 nmbd
-rw-r--r--.  1 root root system_u:object_r:var_run_t:s0    5 Apr  3 
18:39 nmbd.pid
-rw-r--r--.  1 root root system_u:object_r:var_run_t:s0    5 Apr  3 
18:39 smbd.pid
drwxr-xr-x.  2 root root system_u:object_r:var_run_t:s0   60 Apr  3 
20:42 winbindd
-rw-r--r--.  1 root root system_u:object_r:var_run_t:s0    5 Apr  3 
20:42 winbindd.pid
```

Remote ssh login via winbind/pam-auth is not working anymore cause sshd 
wants to access /var/run/samba/winbindd/pipe

`preventing /usr/sbin/sshd from getattr access on the sock_file 
/run/samba/winbindd/pipe`


Could this be fixed in 4.12.1? Meanwhile we set SELinux permissive.

Tobias

-- 
collect at shift.agency

On 03/04/2020 20:34, Tobias Kirchhofer via samba wrote:
> Hi, since 4.12 Samba SELinux context for /var/run/samba is not correct 
> anymore:
>
> ```
> root at files:~ # ls -la -Z /var/run/samba/
> total 12
> drwxr-xr-x.? 5 root root system_u:object_r:var_run_t:s0? 160 Apr 3 
> 20:42 .
> drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr 3 
> 18:39 ..
> drwxr-xr-x.? 3 root root system_u:object_r:var_run_t:s0?? 60 Apr 3 
> 18:39 ncalrpc
> drwxr-xr-x.? 2 root root system_u:object_r:var_run_t:s0?? 60 Apr 3 
> 18:39 nmbd
> -rw-r--r--.? 1 root root system_u:object_r:var_run_t:s0??? 5 Apr 3 
> 18:39 nmbd.pid
> -rw-r--r--.? 1 root root system_u:object_r:var_run_t:s0??? 5 Apr 3 
> 18:39 smbd.pid
> drwxr-xr-x.? 2 root root system_u:object_r:var_run_t:s0?? 60 Apr 3 
> 20:42 winbindd
> -rw-r--r--.? 1 root root system_u:object_r:var_run_t:s0??? 5 Apr 3 
> 20:42 winbindd.pid
> ```
>
> Remote ssh login via winbind/pam-auth is not working anymore cause 
> sshd wants to access /var/run/samba/winbindd/pipe
>
> `preventing /usr/sbin/sshd from getattr access on the sock_file 
> /run/samba/winbindd/pipe`
>
>
> Could this be fixed in 4.12.1? Meanwhile we set SELinux permissive.
>
> Tobias
>
Sorry Tobias, but Samba does not supply the Selinux context, I suggest 
you contact your Samba packages supplier, which is usually your OS.

Rowland

On 3 Apr 2020, at 21:53, Rowland penny via samba wrote:
> On 03/04/2020 20:34, Tobias Kirchhofer via samba wrote:
>> Hi, since 4.12 Samba SELinux context for /var/run/samba is not 
>> correct anymore:
>>
>> ```
>> root at files:~ # ls -la -Z /var/run/samba/
>> total 12
>> drwxr-xr-x.? 5 root root system_u:object_r:var_run_t:s0? 160 Apr 3 
>> 20:42 .
>> drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr 3 
>> 18:39 ..
>> drwxr-xr-x.? 3 root root system_u:object_r:var_run_t:s0?? 60 Apr 3 
>> 18:39 ncalrpc
>> drwxr-xr-x.? 2 root root system_u:object_r:var_run_t:s0?? 60 Apr 3 
>> 18:39 nmbd
>> -rw-r--r--.? 1 root root system_u:object_r:var_run_t:s0??? 5 Apr 
>> 3 18:39 nmbd.pid
>> -rw-r--r--.? 1 root root system_u:object_r:var_run_t:s0??? 5 Apr 
>> 3 18:39 smbd.pid
>> drwxr-xr-x.? 2 root root system_u:object_r:var_run_t:s0?? 60 Apr 3 
>> 20:42 winbindd
>> -rw-r--r--.? 1 root root system_u:object_r:var_run_t:s0??? 5 Apr 
>> 3 20:42 winbindd.pid
>> ```
>>
>> Remote ssh login via winbind/pam-auth is not working anymore cause 
>> sshd wants to access /var/run/samba/winbindd/pipe
>>
>> `preventing /usr/sbin/sshd from getattr access on the sock_file 
>> /run/samba/winbindd/pipe`
>>
>>
>> Could this be fixed in 4.12.1? Meanwhile we set SELinux permissive.
>>
>> Tobias
>>
> Sorry Tobias, but Samba does not supply the Selinux context, I suggest 
> you contact your Samba packages supplier, which is usually your OS.
>
> Rowland
Thank you Rowland for setting me on the right track :) I had Sernet as 
target group in mind when i wrote the post. With updating to 4.12 
SELinux permissions changed. They have a wrapper to start services. My 
thought was that something changed at startup of winbindd.

Sernet does not have a direct mailinglist, or?

Tobias

-- 
collect at shift.agency