<div class="gmail_quote">On Wed, Sep 30, 2009 at 2:17 PM, Tony Molloy <span dir="ltr"><<a href="mailto:tony.molloy@ul.ie">tony.molloy@ul.ie</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5">On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:<br>
> On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:<br>
> > Hi,<br>
> ><br>
> > This is Centos 5.3 fully updated.<br>
> ><br>
> > Im getting the following error from setroubleshoot<br>
> ><br>
> > SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old<br>
> > (samba_log_t).<br>
> ><br>
> > when samba tries to rotate the log files.<br>
> ><br>
> > Running sealert I get the following ( edited )<br>
> ><br>
> > Summary:<br>
> ><br>
> > SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old<br>
> > (samba_log_t).<br>
> ><br>
> > Detailed Description:<br>
> ><br>
> > SELinux denied samba access to ./log.cs244-24.old. If you want to share<br>
> > this directory with samba it has to have a file context label of<br>
> > samba_share_t. If ^^^^^^^^^^^^^<br>
> > you did not intend to use ./log.cs244-24.old as a samba repository it<br>
> > could indicate either a bug or it could signal a intrusion attempt.<br>
> ><br>
> > Allowing Access:<br>
> ><br>
> > You can alter the file context by executing chcon -R -t samba_share_t<br>
> > './log.cs244-24.old' You must also change the default file context files<br>
> > on the<br>
> > system in order to preserve them even on a full relabel. "semanage<br>
> > fcontext -a -t samba_share_t './log.cs244-24.old'"<br>
> ><br>
> > The following command will allow this access:<br>
> ><br>
> > chcon -R -t samba_share_t './log.cs244-24.old'<br>
> ><br>
> > Additional Information:<br>
> ><br>
> > Source Context root:system_r:smbd_t<br>
> > Target Context root:object_r:samba_log_t<br>
> > Target Objects ./log.cs244-24.old [ file ]<br>
> > Source smbd<br>
> > Source Path /usr/sbin/smbd<br>
> > Port <Unknown><br>
> > Host janus.x.y.z<br>
> > Source RPM Packages samba-3.0.33-3.7.el5_3.1<br>
> > Target RPM Packages<br>
> > Policy RPM selinux-policy-2.4.6-203.el5<br>
> > Selinux Enabled True<br>
> > Policy Type targeted<br>
> > MLS Enabled True<br>
> > Enforcing Mode Enforcing<br>
> > Plugin Name samba_share<br>
> > Host Name janus.x.y.z<br>
> > Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP<br>
> > Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64<br>
> > Alert Count 53<br>
> > First Seen Fri Sep 25 15:54:24 2009<br>
> > Last Seen Tue Sep 29 15:55:25 2009<br>
> > Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63<br>
> > Line Numbers<br>
> ><br>
> > Raw Audit Messages<br>
> ><br>
> > host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied<br>
> > { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5<br>
> > ino=164076 scontext=root:system_r:smbd_t:s0<br>
> > tcontext=root:object_r:samba_log_t:s0 tclass=file<br>
> ><br>
> > host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641):<br>
> > arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220<br>
> > a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0<br>
> > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675<br>
> > comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)<br>
> ><br>
> ><br>
> > log.cs244-24.old is a file not a directory and it's located in<br>
> > the /var/log/samba directory with permissions<br>
> > system_u:object_r:samba_log_t samba<br>
> ><br>
> > Any ideas,<br>
><br>
> Looks like a valid bug in selinux-policy to me:<br>
><br>
> echo "avc: denied {<br>
> unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5<br>
> ino=164076 scontext=root:system_r:smbd_t:s0<br>
> tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M mysmbd;<br>
> /usr/sbin/semodule -i mysmbd.pp<br>
><br>
> Should grant this particular access vector.<br>
><br>
<br>
</div></div>Thanks I generated local policy to allow it.<br>
<br></blockquote><div>In origin what is the result of this. In my system <br><br>sesearch -s smbd_t -c file --allow | grep samba_log_t<br> allow smbd_t samba_log_t : file { ioctl read write create getattr setattr lock append unlink link rename };<br>
allow smbd_t samba_log_t : file { ioctl read getattr lock };<br> allow smbd_t samba_log_t : file { ioctl read write create getattr setattr lock append unlink link rename };<br><br>Because i have no problem and in fact unlink is allowed.<br>
<br>Are you sure to have selinux-policy-targeted installed ?<br><br>Regards<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Regards,<br>
<font color="#888888"><br>
Tony<br>
</font><div><div></div><div class="h5">> > Tony<br>
> ><br>
> > --<br>
> ><br>
> > Dept. of Comp. Sci.<br>
> > University of Limerick.<br>
> ><br>
> > --<br>
> > fedora-selinux-list mailing list<br>
> > <a href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a><br>
> > <a href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a><br>
<br>
<br>
<br>
--<br>
<br>
Dept. of Comp. Sci.<br>
University of Limerick.<br>
<br>
--<br>
fedora-selinux-list mailing list<br>
<a href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a><br>
</div></div></blockquote></div><br>