Samba AVC
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 30 17:32:21 UTC 2009
On 09/30/2009 08:37 AM, yersinia wrote:
> On Wed, Sep 30, 2009 at 2:17 PM, Tony Molloy <tony.molloy at ul.ie> wrote:
>
>> On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:
>>> On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
>>>> Hi,
>>>>
>>>> This is Centos 5.3 fully updated.
>>>>
>>>> Im getting the following error from setroubleshoot
>>>>
>>>> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
>>>> (samba_log_t).
>>>>
>>>> when samba tries to rotate the log files.
>>>>
>>>> Running sealert I get the following ( edited )
>>>>
>>>> Summary:
>>>>
>>>> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
>>>> (samba_log_t).
>>>>
>>>> Detailed Description:
>>>>
>>>> SELinux denied samba access to ./log.cs244-24.old. If you want to share
>>>> this directory with samba it has to have a file context label of
>>>> samba_share_t. If ^^^^^^^^^^^^^
>>>> you did not intend to use ./log.cs244-24.old as a samba repository it
>>>> could indicate either a bug or it could signal a intrusion attempt.
>>>>
>>>> Allowing Access:
>>>>
>>>> You can alter the file context by executing chcon -R -t samba_share_t
>>>> './log.cs244-24.old' You must also change the default file context
>> files
>>>> on the
>>>> system in order to preserve them even on a full relabel. "semanage
>>>> fcontext -a -t samba_share_t './log.cs244-24.old'"
>>>>
>>>> The following command will allow this access:
>>>>
>>>> chcon -R -t samba_share_t './log.cs244-24.old'
>>>>
>>>> Additional Information:
>>>>
>>>> Source Context root:system_r:smbd_t
>>>> Target Context root:object_r:samba_log_t
>>>> Target Objects ./log.cs244-24.old [ file ]
>>>> Source smbd
>>>> Source Path /usr/sbin/smbd
>>>> Port <Unknown>
>>>> Host janus.x.y.z
>>>> Source RPM Packages samba-3.0.33-3.7.el5_3.1
>>>> Target RPM Packages
>>>> Policy RPM selinux-policy-2.4.6-203.el5
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> MLS Enabled True
>>>> Enforcing Mode Enforcing
>>>> Plugin Name samba_share
>>>> Host Name janus.x.y.z
>>>> Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1
>> SMP
>>>> Mon Aug 24 08:21:56 EDT 2009 x86_64
>> x86_64
>>>> Alert Count 53
>>>> First Seen Fri Sep 25 15:54:24 2009
>>>> Last Seen Tue Sep 29 15:55:25 2009
>>>> Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63
>>>> Line Numbers
>>>>
>>>> Raw Audit Messages
>>>>
>>>> host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied
>>>> { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
>>>> ino=164076 scontext=root:system_r:smbd_t:s0
>>>> tcontext=root:object_r:samba_log_t:s0 tclass=file
>>>>
>>>> host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641):
>>>> arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220
>>>> a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0
>> gid=0
>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675
>>>> comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
>> key=(null)
>>>>
>>>>
>>>> log.cs244-24.old is a file not a directory and it's located in
>>>> the /var/log/samba directory with permissions
>>>> system_u:object_r:samba_log_t samba
>>>>
>>>> Any ideas,
>>>
>>> Looks like a valid bug in selinux-policy to me:
>>>
>>> echo "avc: denied {
>>> unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
>>> ino=164076 scontext=root:system_r:smbd_t:s0
>>> tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M
>> mysmbd;
>>> /usr/sbin/semodule -i mysmbd.pp
>>>
>>> Should grant this particular access vector.
>>>
>>
>> Thanks I generated local policy to allow it.
>>
>> In origin what is the result of this. In my system
>
> sesearch -s smbd_t -c file --allow | grep samba_log_t
> allow smbd_t samba_log_t : file { ioctl read write create getattr setattr
> lock append unlink link rename };
> allow smbd_t samba_log_t : file { ioctl read getattr lock };
> allow smbd_t samba_log_t : file { ioctl read write create getattr setattr
> lock append unlink link rename };
>
> Because i have no problem and in fact unlink is allowed.
>
> Are you sure to have selinux-policy-targeted installed ?
>
> Regards
>
>
>> Regards,
>>
>> Tony
>>>> Tony
>>>>
>>>> --
>>>>
>>>> Dept. of Comp. Sci.
>>>> University of Limerick.
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>> --
>>
>> Dept. of Comp. Sci.
>> University of Limerick.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is definitely fixed in 5.4 policy.
5.5 policy is now previewing at http://people.redhat.com/dwalsh/SELinux/RHEL5
More information about the fedora-selinux-list
mailing list