samba and system users home

Paul Howarth paul at
Thu Aug 13 20:50:26 UTC 2009

On Thu, 13 Aug 2009 13:03:41 -0700 (PDT)
Vadym Chepkov <chepkov at> wrote:

> Hi,
> Each time anybody trying to access a samba share I get a denials like
> this:
> type=AVC msg=audit(1250191256.756:26956): avc:  denied  { getattr }
> for  pid=20508 comm="smbd" path="/var/www" dev=dm-5 ino=2
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
> type=AVC msg=audit(1250191256.756:26955): avc:  denied  { getattr }
> for  pid=20508 comm="smbd" path="/var/mysql" dev=dm-4 ino=2
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir
> I am not sure why samba is trying to access this directories, it's no
> ones home, just a mount point. dovecot generates the same AVCs, but
> only when it starts. What is the best way to suppress these? Thanks.

I've been getting these for years too! Well, I've had these in local
policy for several releases:

# Samba needs to be able to access stuff under /srv
allow smbd_t var_t:dir getattr;

# F11 noise reduction
dontaudit smbd_t lost_found_t:dir { getattr read };
dontaudit smbd_t squid_cache_t:dir getattr;
dontaudit smbd_t mysqld_db_t:dir getattr;


More information about the fedora-selinux-list mailing list