[Samba] SELinux & samba-dcerpcd

E R fasteddieinaustin at gmail.com
Tue Jun 11 23:24:04 UTC 2024

I am working towards getting SELinux implemented on a web server that
also runs Samba thanks to Thomas Cameron's excellent video
https://www.youtube.com/watch?v=_WOKRaM-HI4.  I set the SELinux label
on the web site folder (which is also the shared folder in Samba) to
public_content_rw_t and set the bool smbd_anon_write to 1 so that
Apache and Samba can hopefully coexist and Samba has write permission.
But periodically RHEL reports:

"SELinux is preventing samba-dcerpcd from ioctl access on the
directory /export/home/xxx/htdocs" (this is the web site folder and
shared folder)

Does anyone have insight (other than the man page) into what this
process may be trying to do before I follow the suggestion of using
the audit2allow tool to create a module to address? (I did flip the
system over to enforcing mode to try to see if things would be broken
but so far everything is working.)  I also found a bug listed in
https://bugzilla.redhat.com/show_bug.cgi?id=2150680 for RHEL 9 (same
version that RHEL 8 has) where a similar issue was resolved in RHEL
9.2 that seems to point to this being an SELinux issue. I do not see
any references to samba-dcerpcd in the release notes since Samba
4.19.4 indicating there are any issues with this program that I may be
missing by running an older release.

RHEL 8.8
Samba version 4.19.4 (output from smbstatus but not sure if this
matches the real Samba release or not with RHEL's naming conventions)
Package Version:  4.19.4, Release 3.el8 (output from yum info)

Additional Information:
Source Context                system_u:system_r:winbind_rpcd_t:s0
Target Context                unconfined_u:object_r:public_content_rw_t:s0
Target Objects                /export/home/xxx/htdocs [ dir ]
Source                        samba-dcerpcd
Source Path                   samba-dcerpcd
Port                          <Unknown>
Host                          rhel8
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-117.el8_8.4.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-117.el8_8.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel8
Platform                      Linux rhel8 4.18.0-477.55.1.el8_8.x86_64 #1
                              SMP Thu Apr 4 09:26:55 EDT 2024 x86_64 x86_64
Alert Count                   2
First Seen                    2024-06-11 15:26:15 CDT
Last Seen                     2024-06-11 17:31:34 CDT
Local ID                      125fa088-9777-4032-895b-b81edc31bec0

Raw Audit Messages
type=AVC msg=audit(1718145094.662:141): avc:  denied  { ioctl } for
pid=2601 comm="samba-dcerpcd" path="/export/home/xxx/htdocs"
dev="dm-6" ino=268435584 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=unconfined_u:object_r:public_content_rw_t:s0 tclass=dir

Hash: samba-dcerpcd,winbind_rpcd_t,public_content_rw_t,dir,ioctl

More information about the samba mailing list