samba ro filesystems bool not effective

Andrew Farris lordmorgul at gmail.com
Wed Apr 2 07:27:38 UTC 2008 

This denial is preventing access to a filesystem I have shared via
samba.  Whenever a system connects to the samba share the denial
occurs several times, and the share is empty when viewed from the
client.  My home dir can be shared fine through samba but not
/media/archive (see below).

Filesystem is mounted by:
LABEL=archive	/media/archive	vfat	auto,rw,async,users,group,nosuid,noexec,shortname=lower,fmask=0013,dmask=0002,gid=555
0 0

> ls -alFshnZ
drwxrwxr-x  0 555 system_u:object_r:dosfs_t:s0     archive/

I have already setsebool -P samba_export_all_ro=1 and verified it is
set in system-config-selinux.  It seems not to have any effect here.

I set (true):
samba_export_all_ro, samba_export_all_rw, samba_export_fusefs
I set (false:
samba_enable_home_dirs, use_samba_home_dirs, samba_run_unconfined

With those settings... my home dir is shared and accessible via samba,
but the ro share is not.  What is going on here?

SELinux is preventing the samba daemon from serving r/o local files to remote
clients.

Detailed Description:

SELinux has preventing the samba daemon (smbd) from reading files on the local
system. If you have not exported these file systems, this could signals an
intrusion.

Allowing Access:

If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".

Fix Command:

setsebool -P samba_export_all_ro=1

Additional Information:

Source Context                unconfined_u:system_r:smbd_t:s0
Target Context                system_u:object_r:dosfs_t:s0
Target Objects                / [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          cirithungol
Source RPM Packages           samba-3.2.0-1.pre2.8.fc9
Target RPM Packages           filesystem-2.4.12-1.fc9
Policy RPM                    selinux-policy-3.3.1-26.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   samba_export_all_ro
Host Name                     cirithungol
Platform                      Linux cirithungol 2.6.25-0.172.rc7.git4.fc9.i686
                              #1 SMP Fri Mar 28 21:46:59 EDT 2008 i686 i686
Alert Count                   40
First Seen                    Mon 31 Mar 2008 11:18:08 PM PDT
Last Seen                     Tue 01 Apr 2008 02:30:29 PM PDT
Local ID                      431fbfb7-e677-45d9-98b9-0a23ea0ab572
Line Numbers

Raw Audit Messages

host=cirithungol type=AVC msg=audit(1207085429.4:3307): avc:  denied
{ read } for  pid=10886 comm="smbd" name="/" dev=sdc3 ino=1
scontext=unconfined_u:system_r:smbd_t:s0
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir

host=cirithungol type=SYSCALL msg=audit(1207085429.4:3307):
arch=40000003 syscall=5 success=no exit=-13 a0=b9157d60 a1=98800 a2=2f
a3=b9157d10 items=0 ppid=6064 pid=10886 auid=500 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=1
comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0
key=(null)

--
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
 gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
 revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer

More information about the fedora-selinux-list mailing list