Samba log files have wrong context?

Daniel J Walsh dwalsh at redhat.com
Mon Jun 4 18:39:04 UTC 2007 

Bob Kashani wrote:
> SELinux keeps complaining that the file contexts for log files
> in /var/log/samba are wrong. All of the files are labeled samba_log_t
> but it seems to want samba_share_t, is this correct?
>
> This is what selinux troubleshooter reports:
>
> Summary
>     SELinux is preventing samba (/usr/sbin/smbd) "append" to log.chaucer
>     (samba_log_t).
>
> Detailed Description
>     SELinux denied samba access to log.chaucer. If you want to share
> this
>     directory with samba it has to have a file context label of
> samba_share_t.
>     If you did not intend to use log.chaucer as a samba repository it
> could
>     indicate either a bug or it could signal a intrusion attempt.
>
> Allowing Access
>     You can alter the file context by executing chcon -R -t
> samba_share_t
>     log.chaucer
>
>     The following command will allow this access:
>     chcon -R -t samba_share_t log.chaucer
>
> Additional Information        
>
> Source Context                system_u:system_r:smbd_t
> Target Context                system_u:object_r:samba_log_t
> Target Objects                log.chaucer [ file ]
> Affected RPM Packages         samba-3.0.25-2.fc7 [application]
> Policy RPM                    selinux-policy-2.6.4-8.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.samba_share
> Host Name                     chaucer
> Platform                      Linux chaucer 2.6.21-1.3194.fc7 #1 SMP Wed
> May 23
>                               22:35:01 EDT 2007 i686 athlon
> Alert Count                   3
> First Seen                    Sun 03 Jun 2007 04:50:41 PM PDT
> Last Seen                     Sun 03 Jun 2007 04:50:41 PM PDT
> Local ID                      ef44bd9c-87aa-4898-9c3d-bb0a3def2ade
> Line Numbers                  
>
> Raw Audit Messages            
>
> avc: denied { append } for comm="smbd" dev=sda2 egid=0 euid=0
> exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> name="log.chaucer"
> pid=2945 scontext=system_u:system_r:smbd_t:s0 sgid=0
> subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file
> tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   

No this is broken policy.  It will be fixed in selinux-policy-2.6.4-13.fc7

You can use

grep samba_log_t /var/log/audit/audit.log | audit2allow -M mysamba
semodule -i mysamba.pp

To allow this on your machine.

More information about the fedora-selinux-list mailing list