Samba log files have wrong context?
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 4 18:39:04 UTC 2007
Bob Kashani wrote:
> SELinux keeps complaining that the file contexts for log files
> in /var/log/samba are wrong. All of the files are labeled samba_log_t
> but it seems to want samba_share_t, is this correct?
>
> This is what selinux troubleshooter reports:
>
> Summary
> SELinux is preventing samba (/usr/sbin/smbd) "append" to log.chaucer
> (samba_log_t).
>
> Detailed Description
> SELinux denied samba access to log.chaucer. If you want to share
> this
> directory with samba it has to have a file context label of
> samba_share_t.
> If you did not intend to use log.chaucer as a samba repository it
> could
> indicate either a bug or it could signal a intrusion attempt.
>
> Allowing Access
> You can alter the file context by executing chcon -R -t
> samba_share_t
> log.chaucer
>
> The following command will allow this access:
> chcon -R -t samba_share_t log.chaucer
>
> Additional Information
>
> Source Context system_u:system_r:smbd_t
> Target Context system_u:object_r:samba_log_t
> Target Objects log.chaucer [ file ]
> Affected RPM Packages samba-3.0.25-2.fc7 [application]
> Policy RPM selinux-policy-2.6.4-8.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.samba_share
> Host Name chaucer
> Platform Linux chaucer 2.6.21-1.3194.fc7 #1 SMP Wed
> May 23
> 22:35:01 EDT 2007 i686 athlon
> Alert Count 3
> First Seen Sun 03 Jun 2007 04:50:41 PM PDT
> Last Seen Sun 03 Jun 2007 04:50:41 PM PDT
> Local ID ef44bd9c-87aa-4898-9c3d-bb0a3def2ade
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { append } for comm="smbd" dev=sda2 egid=0 euid=0
> exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> name="log.chaucer"
> pid=2945 scontext=system_u:system_r:smbd_t:s0 sgid=0
> subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file
> tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
No this is broken policy. It will be fixed in selinux-policy-2.6.4-13.fc7
You can use
grep samba_log_t /var/log/audit/audit.log | audit2allow -M mysamba
semodule -i mysamba.pp
To allow this on your machine.
More information about the fedora-selinux-list
mailing list