setsebool ok & smb denied

Thu Apr 10 18:11:35 UTC 2008

Hello,
on my F8 up2date, SMB is denied read access to user_iceauth_home_t
context even if I have:

[root at jack ~]# getsebool -a |grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_nfs --> off
use_samba_home_dirs --> on

Should I bugzilla it? and also dontaudit, allow or deny?

Résumé:

SELinux is preventing the samba daemon from reading users' home
directories.

Description détaillée:

SELinux has denied the samba daemon access to users' home directories.
Someone
is attempting to access your home directories via your samba daemon. If
you only
setup samba to share non-home directories, this probably signals a
intrusion
attempt. For more information on SELinux integration with samba, look at
the
samba_selinux man page. (man samba_selinux)

Autoriser l'accès:

Si vous souhaitez que samba partage des répertoires personnels vous
devez
activer le booléen samba_enable_home_dirs : "setsebool -P
samba_enable_home_dirs=1"

La commande suivante autorisera cet accès :

setsebool -P samba_enable_home_dirs=1

Informations complémentaires:

Contexte source               system_u:system_r:smbd_t:s0
Contexte cible                system_u:object_r:user_iceauth_home_t:s0
Objets du contexte            /home/alex/.ICEauthority [ file ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Inconnu>
Host                          jack.lutty.net
Source RPM Packages           samba-3.0.28a-0.fc8
Target RPM Packages           
Politique RPM                 selinux-policy-3.0.8-95.fc8
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 samba_enable_home_dirs
Nom de l'hôte                jack.lutty.net
Plateforme                    Linux jack.lutty.net 2.6.24.4-64.fc8 #1
SMP Sat
                              Mar 29 09:54:46 EDT 2008 i686 i686
Compteur d'alertes            28
First Seen                    ven 04 avr 2008 23:16:29 CEST
Last Seen                     mer 09 avr 2008 16:34:17 CEST
Local ID                      d2ee22f9-866b-4305-94c8-a029aee20c19
Numéros des lignes           

Messages d'audit bruts        

host=jack.lutty.net type=AVC msg=audit(1207751657.63:1353): avc:  denied
{ getattr } for  pid=32716 comm="smbd" path="/home/alex/.ICEauthority"
dev=dm-11 ino=850503 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_iceauth_home_t:s0 tclass=file

host=jack.lutty.net type=SYSCALL msg=audit(1207751657.63:1353):
arch=40000003 syscall=195 success=no exit=-13 a0=bfc33194 a1=bfc32914
a2=4c5ff4 a3=bfc32914 items=0 ppid=3346 pid=32716 auid=4294967295
uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500
tty=(none) comm="smbd" exe="/usr/sbin/smbd"
subj=system_u:system_r:smbd_t:s0 key=(null)

jk