1217194 – [MicroOS] CIFS mount blocked by SELinux

Bug 1217194 - [MicroOS] CIFS mount blocked by SELinux

Summary: [MicroOS] CIFS mount blocked by SELinux

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Current
Hardware:	Hyper-V openSUSE Tumbleweed

Priority:	P5 - None Severity: Major (vote)
Target Milestone:	---
Assignee:	Cathy Hu
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-15 15:22 UTC by Martin Ullrich
Modified:	2023-12-08 10:41 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Ullrich 2023-11-15 15:22:15 UTC

Beginning Nov 15th 2023 after a scheduled update, mounting CIFS shares no longer works (in our case done by kubernetes / smb csi but reproducible with standard mount command and worked for over a year):

```
# mount -t cifs -o dir_mode=0777,file_mode=0777,uid=1001,gid=1001,username=...,password=... //REPLACED.DOMAIN.EXT/REPLACED-DIR
t mnttest
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
```

dmesg:
> [31426.872438] CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3.1.1 (or even SMB3 or SMB2.1) specify vers=1.0 on mount.
> [31426.872441] CIFS: Attempting to mount //REPLACED.DOMAIN.EXT/REPLACED-DIR
> [31426.874497] CIFS: VFS: cifs_mount failed w/return code = -126

Mounting succeeds once SELinux enforcement is disabled `setenforce 0` or changing the the corresponding /etc/selinux/config setting and rebooting.

I was loooking around the audit logs to come up with a policy that could unblock using CIFS while keeping SELinux enforcement enabled but with limited success:

```
# ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
time->Wed Nov 15 13:15:13 2023
type=AVC msg=audit(1700054113.234:686): avc:  denied  { view } for  pid=23636 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
time->Wed Nov 15 13:15:13 2023
type=AVC msg=audit(1700054113.234:687): avc:  denied  { view } for  pid=23636 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
time->Wed Nov 15 13:15:13 2023
type=AVC msg=audit(1700054113.234:688): avc:  denied  { read } for  pid=23636 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
time->Wed Nov 15 13:15:13 2023
type=AVC msg=audit(1700054113.234:689): avc:  denied  { read } for  pid=23636 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
time->Wed Nov 15 13:15:13 2023
type=AVC msg=audit(1700054113.234:690): avc:  denied  { execute_no_trans } for  pid=23636 comm="request-key" path="/usr/sbin/key.dns_resolver" dev="sda3" ino=441450 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
----
time->Wed Nov 15 13:15:13 2023
type=AVC msg=audit(1700054113.234:691): avc:  denied  { create } for  pid=23636 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=unix_dgram_socket permissive=0
```

Using `audit2allow` on `ausearch` results or with the `-a` option generated the following module te file:

```
module cifs-fix 1.0;

require {
        type kernel_t;
        type init_var_run_t;
        type syslogd_var_run_t;
        type net_conf_t;
        type devlog_t;
        type bin_t;
        type kernel_generic_helper_t;
        class key { read setattr view };
        class unix_dgram_socket { connect create sendto };
        class file { execute_no_trans getattr open read };
        class udp_socket { connect create getattr setopt };
        class lnk_file read;
        class dir search;
        class sock_file write;
}

#============= kernel_generic_helper_t ==============
allow kernel_generic_helper_t bin_t:file execute_no_trans;
allow kernel_generic_helper_t devlog_t:lnk_file read;
allow kernel_generic_helper_t devlog_t:sock_file write;
allow kernel_generic_helper_t init_var_run_t:dir search;
allow kernel_generic_helper_t kernel_t:key { read setattr view };
allow kernel_generic_helper_t kernel_t:unix_dgram_socket sendto;
allow kernel_generic_helper_t net_conf_t:dir search;
allow kernel_generic_helper_t net_conf_t:file { getattr open read };
allow kernel_generic_helper_t net_conf_t:lnk_file read;
allow kernel_generic_helper_t self:udp_socket { connect create getattr setopt };
allow kernel_generic_helper_t self:unix_dgram_socket { connect create };
allow kernel_generic_helper_t syslogd_var_run_t:dir search;
```

While applying the module built by `audit2allow`, the error then changes to:

```
# mount -t cifs -o dir_mode=0777,file_mode=0777,uid=1001,gid=1001,username=...,password=... //REPLACED.DOMAIN.EXT/REPLACED-DIR mnttest
mount error(4): Interrupted system call
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
```

I do not know how to debug this further (nothing shows up in default audit logs).

```
# zypper search -is selinux
Loading repository data...
Reading installed packages...

S  | Name                     | Type    | Version      | Arch   | Repository
---+--------------------------+---------+--------------+--------+------------------------
i  | container-selinux        | package | 2.222.0-1.2  | noarch | openSUSE-Tumbleweed-Oss
i  | libselinux1              | package | 3.5-5.2      | x86_64 | openSUSE-Tumbleweed-Oss
i  | microos_selinux          | pattern | 5.0-80.2     | x86_64 | (System Packages)
i+ | patterns-microos-selinux | package | 5.0-80.2     | x86_64 | (System Packages)
i  | python311-selinux        | package | 3.5-5.2      | x86_64 | openSUSE-Tumbleweed-Oss
i  | selinux-policy           | package | 20231030-1.1 | noarch | openSUSE-Tumbleweed-Oss
i  | selinux-policy-targeted  | package | 20231030-1.1 | noarch | openSUSE-Tumbleweed-Oss
i  | selinux-tools            | package | 3.5-5.2      | x86_64 | openSUSE-Tumbleweed-Oss

# cat /etc/os-release 
NAME="openSUSE MicroOS"
# VERSION="20231110"
ID="opensuse-microos"
ID_LIKE="suse opensuse opensuse-tumbleweed"
VERSION_ID="20231110"
PRETTY_NAME="openSUSE MicroOS"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:microos:20231110"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:MicroOS"
LOGO="distributor-logo-MicroOS"
```

Comment 1 Cathy Hu 2023-11-22 14:08:32 UTC

I queued an update to fix this issue. Please check if this fixes your issue by
either
- waiting for the update to be released (aka this will be in state accepted and you can see an update on your system): https://build.opensuse.org/request/show/1128144
- or testing using the staging project here: https://build.opensuse.org/project/show/security:SELinux

Either way, please let me know if the issue still persists or anything else comes up. Thanks a lot for you report!

Comment 2 Cathy Hu 2023-12-08 10:41:44 UTC

Closing done, please reopen if you still encounter the issues.