Samba AVC

Tony Molloy tony.molloy at ul.ie
Wed Sep 30 09:15:14 UTC 2009 

Hi,

This is Centos 5.3 fully updated.

Im getting the following error from setroubleshoot

    SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
    (samba_log_t).

when samba tries to rotate the log files.

Running sealert I get the following ( edited )

Summary:

SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old 
(samba_log_t).

Detailed Description:

SELinux denied samba access to ./log.cs244-24.old. If you want to share this
directory with samba it has to have a file context label of samba_share_t. If
^^^^^^^^^^^^^
you did not intend to use ./log.cs244-24.old as a samba repository it could
indicate either a bug or it could signal a intrusion attempt.

Allowing Access:

You can alter the file context by executing chcon -R -t samba_share_t
'./log.cs244-24.old' You must also change the default file context files on 
the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t samba_share_t './log.cs244-24.old'"

The following command will allow this access:

chcon -R -t samba_share_t './log.cs244-24.old'

Additional Information:

Source Context                root:system_r:smbd_t
Target Context                root:object_r:samba_log_t
Target Objects                ./log.cs244-24.old [ file ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          janus.x.y.z
Source RPM Packages           samba-3.0.33-3.7.el5_3.1
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   samba_share
Host Name                     janus.x.y.z
Platform                      Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP
                              Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64
Alert Count                   53
First Seen                    Fri Sep 25 15:54:24 2009
Last Seen                     Tue Sep 29 15:55:25 2009
Local ID                      e4426abc-3b0b-4df2-a380-3f0fba344c63
Line Numbers                  

Raw Audit Messages            

host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc:  denied  { 
unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 
ino=164076 scontext=root:system_r:smbd_t:s0 
tcontext=root:object_r:samba_log_t:s0 tclass=file

host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e 
syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0 
items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd" 
subj=root:system_r:smbd_t:s0 key=(null)


log.cs244-24.old is a file not a directory and it's located in 
the /var/log/samba directory with permissions
       system_u:object_r:samba_log_t    samba

Any ideas,

Tony

-- 

Dept. of Comp. Sci.
University of Limerick.

More information about the fedora-selinux-list mailing list