Setting Samba Boolean. Recommended method?

Daniel J Walsh dwalsh at redhat.com
Mon Feb 2 18:45:21 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard Chapman wrote:
> Thanks Paul. Your observation that the problem is the ~/.spamassassin
> directory is very enlightening.
> Nonetheless - I imagine that in enforcing mode - I will get lots of
> errors - and possibly samba delays - so it probably still needs fixing.
> Can y0u suggest why I might have this problem - and how best to fix it?
> 
> Richard.
> 
> Paul Howarth wrote:
>> Richard Chapman wrote:
>>> I am running SElinux in permissive mode. I want to allow samba access
>>> to user home directories.
>>> At setroubleshooters suggestion (see below) - I did the following at
>>> a shell prompt:
>>>
>>> Ø       *setsebool -P samba_enable_home_dirs=1
>>>
>>>
>>> *
>>>
>>> This seemed to solve the problem. But after a reboot the denials are
>>> back. I assume the boolean is not carried across a reboot.
>>>
>>> If my assumption is correct - where is the recommended place to put the:
>>>
>>> setsebool -P samba_enable_home_dirs=1
>>>
>>> command?
>>> Should I create a local policy module and put it there - or is there
>>> some other recommended place? If anyone can point me to a recommended
>>> procedure ...
>>>
>>> Thanks
>>>
>>> Richard.
>>
>> You've done what you needed to do already - the -P option makes the
>> boolean persist across reboots.
>>
>>> Summary:
>>>
>>> SELinux is preventing the samba daemon from reading users' home
>>> directories.
>>
>> This summary is actually slightly misleading in this case.
>>
>>> Detailed Description:
>>>
>>> [SELinux is in permissive mode, the operation would have been denied
>>> but was
>>> permitted due to permissive mode.]
>>>
>>> SELinux has denied the samba daemon access to users' home
>>> directories. Someone
>>> is attempting to access your home directories via your samba daemon.
>>> If you only
>>> setup samba to share non-home directories, this probably signals a
>>> intrusion
>>> attempt. For more information on SELinux integration with samba, look
>>> at the
>>> samba_selinux man page. (man samba_selinux)
>>>
>>> Allowing Access:
>>>
>>> If you want samba to share home directories you need to turn on the
>>> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
>>>
>>> The following command will allow this access:
>>>
>>> setsebool -P samba_enable_home_dirs=1
>>>
>>> Additional Information:
>>>
>>> Source Context                system_u:system_r:smbd_t
>>> Target Context                user_u:object_r:spamassassin_home_t
>>> Target Objects                ./.spamassassin [ dir ]
>>> Source                        smbd
>>> Source Path                   /usr/sbin/smbd
>>> Port                          <Unknown>
>>> Host                          C5.aardvark.com.au
>>> Source RPM Packages           samba-3.0.28-1.el5_2.1
>>> Target RPM Packages          Policy RPM                   
>>> selinux-policy-2.4.6-203.el5
>>> Selinux Enabled               True
>>> Policy Type                   targeted
>>> MLS Enabled                   True
>>> Enforcing Mode                Permissive
>>> Plugin Name                   samba_enable_home_dirs
>>> Host Name                     C5.aardvark.com.au
>>> Platform                      Linux C5.aardvark.com.au
>>> 2.6.18-92.1.22.el5 #1 SMP
>>>                              Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>>> Alert Count                   2
>>> First Seen                    Tue 13 Jan 2009 10:59:19 PM WST
>>> Last Seen                     Tue 13 Jan 2009 10:59:23 PM WST
>>> Local ID                      70f6525d-ce9d-40a4-a558-c3db06781ae9
>>> Line Numbers                Raw Audit Messages         
>>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>>> avc:  denied  { search } for  pid=8841 comm="smbd"
>>> name=".spamassassin" dev=dm-0 ino=26155019
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>>> avc:  denied  { search } for  pid=8841 comm="smbd"
>>> name=".spamassassin" dev=dm-0 ino=26155019
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>>> avc:  denied  { getattr } for  pid=8841 comm="smbd"
>>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>>> avc:  denied  { getattr } for  pid=8841 comm="smbd"
>>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>>
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
>>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
>>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
>>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
>>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
>>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>>>
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
>>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
>>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
>>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
>>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
>>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>>
>> These denials are all for the ~/.spamassassin directory and its
>> contents, not the home directory in general. Browsing the majority of
>> the home directory would work just fine in enforcing mode.
>>
>> Paul.
>>
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
THis is a bug in policy.

Samba should be able to read all content in the home directory.

Really need a new interface designed.
#######################################
## <summary>
##	Manage any content in the home directory
## </summary>
## <param name="userdomain">
##	<summary>
##	The user domain
##	</summary>
## </param>
## <rolebase/>
#
interface(`userdom_manage_home_content',`
	gen_require(`
		type user_home_dir_t;
		attribute user_home_type;
	')

	files_list_home($1)
	manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
	manage_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
	manage_lnk_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
	manage_sock_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
	manage_fifo_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
	filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file
sock_file fifo_file })

')

And

tunable_policy(`samba_enable_home_dirs',`
	userdom_manage_home_content(smbd_t)
')

I have added this to rawhide, please open a bugzilla for this in F10.





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmHP0EACgkQrlYvE4MpobNWzACfS3xX+Nh5tofzMSnzl6j5sAng
Zv0AoL+9K5Qy9iui5wFT3YzqOaMnHaDj
=Wxbi
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list