setsebool ok & smb denied
Laurent Jacquot
jk at lutty.net
Thu Apr 10 18:11:35 UTC 2008
Hello,
on my F8 up2date, SMB is denied read access to user_iceauth_home_t
context even if I have:
[root at jack ~]# getsebool -a |grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_nfs --> off
use_samba_home_dirs --> on
Should I bugzilla it? and also dontaudit, allow or deny?
Résumé:
SELinux is preventing the samba daemon from reading users' home
directories.
Description détaillée:
SELinux has denied the samba daemon access to users' home directories.
Someone
is attempting to access your home directories via your samba daemon. If
you only
setup samba to share non-home directories, this probably signals a
intrusion
attempt. For more information on SELinux integration with samba, look at
the
samba_selinux man page. (man samba_selinux)
Autoriser l'accès:
Si vous souhaitez que samba partage des répertoires personnels vous
devez
activer le booléen samba_enable_home_dirs : "setsebool -P
samba_enable_home_dirs=1"
La commande suivante autorisera cet accès :
setsebool -P samba_enable_home_dirs=1
Informations complémentaires:
Contexte source system_u:system_r:smbd_t:s0
Contexte cible system_u:object_r:user_iceauth_home_t:s0
Objets du contexte /home/alex/.ICEauthority [ file ]
Source smbd
Source Path /usr/sbin/smbd
Port <Inconnu>
Host jack.lutty.net
Source RPM Packages samba-3.0.28a-0.fc8
Target RPM Packages
Politique RPM selinux-policy-3.0.8-95.fc8
Selinux activé True
Type de politique targeted
MLS activé True
Mode strict Enforcing
Nom du plugin samba_enable_home_dirs
Nom de l'hôte jack.lutty.net
Plateforme Linux jack.lutty.net 2.6.24.4-64.fc8 #1
SMP Sat
Mar 29 09:54:46 EDT 2008 i686 i686
Compteur d'alertes 28
First Seen ven 04 avr 2008 23:16:29 CEST
Last Seen mer 09 avr 2008 16:34:17 CEST
Local ID d2ee22f9-866b-4305-94c8-a029aee20c19
Numéros des lignes
Messages d'audit bruts
host=jack.lutty.net type=AVC msg=audit(1207751657.63:1353): avc: denied
{ getattr } for pid=32716 comm="smbd" path="/home/alex/.ICEauthority"
dev=dm-11 ino=850503 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_iceauth_home_t:s0 tclass=file
host=jack.lutty.net type=SYSCALL msg=audit(1207751657.63:1353):
arch=40000003 syscall=195 success=no exit=-13 a0=bfc33194 a1=bfc32914
a2=4c5ff4 a3=bfc32914 items=0 ppid=3346 pid=32716 auid=4294967295
uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500
tty=(none) comm="smbd" exe="/usr/sbin/smbd"
subj=system_u:system_r:smbd_t:s0 key=(null)
jk
More information about the fedora-selinux-list
mailing list