Setting Samba Boolean. Recommended method?
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 2 18:45:21 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Richard Chapman wrote:
> Thanks Paul. Your observation that the problem is the ~/.spamassassin
> directory is very enlightening.
> Nonetheless - I imagine that in enforcing mode - I will get lots of
> errors - and possibly samba delays - so it probably still needs fixing.
> Can y0u suggest why I might have this problem - and how best to fix it?
>
> Richard.
>
> Paul Howarth wrote:
>> Richard Chapman wrote:
>>> I am running SElinux in permissive mode. I want to allow samba access
>>> to user home directories.
>>> At setroubleshooters suggestion (see below) - I did the following at
>>> a shell prompt:
>>>
>>> Ø *setsebool -P samba_enable_home_dirs=1
>>>
>>>
>>> *
>>>
>>> This seemed to solve the problem. But after a reboot the denials are
>>> back. I assume the boolean is not carried across a reboot.
>>>
>>> If my assumption is correct - where is the recommended place to put the:
>>>
>>> setsebool -P samba_enable_home_dirs=1
>>>
>>> command?
>>> Should I create a local policy module and put it there - or is there
>>> some other recommended place? If anyone can point me to a recommended
>>> procedure ...
>>>
>>> Thanks
>>>
>>> Richard.
>>
>> You've done what you needed to do already - the -P option makes the
>> boolean persist across reboots.
>>
>>> Summary:
>>>
>>> SELinux is preventing the samba daemon from reading users' home
>>> directories.
>>
>> This summary is actually slightly misleading in this case.
>>
>>> Detailed Description:
>>>
>>> [SELinux is in permissive mode, the operation would have been denied
>>> but was
>>> permitted due to permissive mode.]
>>>
>>> SELinux has denied the samba daemon access to users' home
>>> directories. Someone
>>> is attempting to access your home directories via your samba daemon.
>>> If you only
>>> setup samba to share non-home directories, this probably signals a
>>> intrusion
>>> attempt. For more information on SELinux integration with samba, look
>>> at the
>>> samba_selinux man page. (man samba_selinux)
>>>
>>> Allowing Access:
>>>
>>> If you want samba to share home directories you need to turn on the
>>> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
>>>
>>> The following command will allow this access:
>>>
>>> setsebool -P samba_enable_home_dirs=1
>>>
>>> Additional Information:
>>>
>>> Source Context system_u:system_r:smbd_t
>>> Target Context user_u:object_r:spamassassin_home_t
>>> Target Objects ./.spamassassin [ dir ]
>>> Source smbd
>>> Source Path /usr/sbin/smbd
>>> Port <Unknown>
>>> Host C5.aardvark.com.au
>>> Source RPM Packages samba-3.0.28-1.el5_2.1
>>> Target RPM Packages Policy RPM
>>> selinux-policy-2.4.6-203.el5
>>> Selinux Enabled True
>>> Policy Type targeted
>>> MLS Enabled True
>>> Enforcing Mode Permissive
>>> Plugin Name samba_enable_home_dirs
>>> Host Name C5.aardvark.com.au
>>> Platform Linux C5.aardvark.com.au
>>> 2.6.18-92.1.22.el5 #1 SMP
>>> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>>> Alert Count 2
>>> First Seen Tue 13 Jan 2009 10:59:19 PM WST
>>> Last Seen Tue 13 Jan 2009 10:59:23 PM WST
>>> Local ID 70f6525d-ce9d-40a4-a558-c3db06781ae9
>>> Line Numbers Raw Audit Messages
>>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>>> avc: denied { search } for pid=8841 comm="smbd"
>>> name=".spamassassin" dev=dm-0 ino=26155019
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>>> avc: denied { search } for pid=8841 comm="smbd"
>>> name=".spamassassin" dev=dm-0 ino=26155019
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>>> avc: denied { getattr } for pid=8841 comm="smbd"
>>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>>> avc: denied { getattr } for pid=8841 comm="smbd"
>>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>>
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
>>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
>>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
>>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
>>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
>>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>>>
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
>>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
>>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
>>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
>>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
>>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>>
>> These denials are all for the ~/.spamassassin directory and its
>> contents, not the home directory in general. Browsing the majority of
>> the home directory would work just fine in enforcing mode.
>>
>> Paul.
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
THis is a bug in policy.
Samba should be able to read all content in the home directory.
Really need a new interface designed.
#######################################
## <summary>
## Manage any content in the home directory
## </summary>
## <param name="userdomain">
## <summary>
## The user domain
## </summary>
## </param>
## <rolebase/>
#
interface(`userdom_manage_home_content',`
gen_require(`
type user_home_dir_t;
attribute user_home_type;
')
files_list_home($1)
manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
manage_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
manage_lnk_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
manage_sock_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
manage_fifo_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file
sock_file fifo_file })
')
And
tunable_policy(`samba_enable_home_dirs',`
userdom_manage_home_content(smbd_t)
')
I have added this to rawhide, please open a bugzilla for this in F10.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmHP0EACgkQrlYvE4MpobNWzACfS3xX+Nh5tofzMSnzl6j5sAng
Zv0AoL+9K5Qy9iui5wFT3YzqOaMnHaDj
=Wxbi
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list