SELinux blocking Samba share mounting?

Daniel J Walsh dwalsh at redhat.com
Fri Feb 13 13:11:49 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Stromer wrote:
> 
> On Feb 12, 2009, at 4:43 PM, Daniel J Walsh wrote:
> 
> Paul Howarth wrote:
>>>> On Thu, 12 Feb 2009 14:20:34 -0500
>>>> Steven Stromer <filter at stevenstromer.com> wrote:
>>>>
>>>>> Hopefully posting to the right list!
>>>>>
>>>>> I'm starting to migrate a few Fedora boxes over to the latest version
>>>>> of CentOS 5 running the latest version of samba:
>>>>>
>>>>> [~]# smbstatus
>>>>> Samba version 3.0.28-1.el5_2.1
>>>>>
>>>>>
>>>>> However, I am having a hard time getting SELinux to permit the
>>>>> mounting of shares on the first CentOS box. Disabling SELinux permits
>>>>> the shares to mount without problem:
>>>>>
>>>>> [~]# setenforce 1
>>>>> [~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
>>>>> username=****,password=****,rw retrying with upper case share name
>>>>> mount error 6 = No such device or address
>>>>> [~]# setenforce 0
>>>>> [~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
>>>>> username=****,password=****,rw [~]# ls -la /mnt/samba/
>>>>> total 8
>>>>> d---rws---+ 6 samba       samba          0 Feb 10 11:17 .
>>>>> drwxr-xr-x  3 root        root        4096 Feb 12 11:13 ..
>>>>> d---rws---+ 2 technology  technology     0 Feb 10 11:14 Computing
>>>>> d---rws---+ 2 development development    0 Feb 10 11:17 Development
>>>>> d---rws---+ 2 root        public         0 Feb 10 11:16 Marketing &
>>>>> Design d---rws---+ 2 root        public         0 Feb 10 11:14 Public
>>>>> Computing [~]# umount /mnt/samba/
>>>>> [~]# setenforce 1
>>>>>
>>>>>
>>>>> Installed policy version is:
>>>>> selinux-policy.noarch              2.4.6-137.1.el5
>>>>> selinux-policy-targeted.noarch     2.4.6-137.1.el5
>>>>>
>>>>>
>>>>> The two shared directories are:
>>>>>
>>>>> [~]# ls -laZ /home/server1/PHFiles/
>>>>> d---rws---+ samba       samba       system_u:object_r:samba_share_t  .
>>>>> drwxr-xr-x  root        root        root:object_r:user_home_dir_t
>>>>>   .. d---rws---+ technology  technology  root:object_r:samba_share_t
>>>>>     Computing d---rws---+ development development
>>>>> root:object_r:samba_share_t      Development d---rws---+ root
>>>>>       public      root:object_r:samba_share_t      Marketing &
>>>>> Design d---rws---+ root        public
>>>>>     root:object_r:samba_share_t      Public Computing
>>>>>
>>>>> and
>>>>>
>>>>> [~]# ls -laZ /var/www/html
>>>>> d---rwsr-x+ development development
>>>>> system_u:object_r:public_content_rw_t . drwxr-xr-x  root        root
>>>>>       system_u:object_r:httpd_sys_content_t .. ----rwxr-x+
>>>>> development development root:object_r:public_content_rw_t .DS_Store
>>>>> d---rwsr-x+ development development root:object_r:public_content_rw_t
>>>>> private d---rwsr-x+ development development
>>>>> root:object_r:public_content_rw_t public
>>>>>
>>>>> (I am aware that my permissions seem a bit untraditional. I am
>>>>> running an experiment with extended ACL configuration on samba
>>>>> shares. However, I do not believe this to have any bearing on my
>>>>> present problems, as I have numerous other production servers running
>>>>> with these permissions under SELinux, and, again, turning SELinux off
>>>>> resolves my problems instantly.)
>>>>>
>>>>>
>>>>> The following has been executed with no apparent effect:
>>>>> setsebool -P allow_smbd_anon_write=1
>>>>>
>>>>>
>>>>> The following have been executed with no apparent effect (so these
>>>>> have been turned back off): setsebool -P smbd_disable_trans=1
>>>>> setsebool -P nmbd_disable_trans=1
>>>>>
>>>>>
>>>>> I've added the new contexts to file_contexts, and executed
>>>>> 'restorecon -R' to the two shared
>>>>> directories: /home/server1/PHFiles(/.*)? --
>>>>> system_u:object_r:samba_share_t /var/www/html(/.*)? --
>>>>> system_u:object_r:public_content_rw_t
>>>>>
>>>>>
>>>>> setroubleshoot-server is installed, but no AVC denials are reported
>>>>> to /var/log/messages. Instead, when SELinux is enforcing, I get the
>>>>> error: smbd[11852]:   '/home/server1/PHFiles' does not exist or
>>>>> permission denied when connecting to [PHFiles] Error was Permission
>>>>> denied
>>>>>
>>>>>
>>>>> And, finally, I've rebooted. All to no avail. Any assistance would be
>>>>> much appreciated!
>>>>
>>>> If the audit daemon is running, the AVC denials will be
>>>> in /var/log/audit/audit.log rather than /var/log/messages.
>>>>
>>>> fedora-selinux-list would probably be more appropriate for this by the
>>>> way.
>>>>
>>>> Paul.
>>>>
>>>>
>>>> -- 
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo at tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
> 
> setsebool -P use_samba_home_dirs 1
>>

> Daniel, thanks for the reply. No success. I omitted mentioning that I
> had tried this, as well. However, I just confirmed again that this is
> not the fix. I'm not even sure why home directories would need to be
> permitted, as I am not using them. I even have [homes] commented out in
> smb.conf, which I'll include for reference:


> # Samba config file
> [global]
> # WINS
>     wins support = yes
>     local master = yes
>     os level = 99
>     domain master = yes
>     preferred master = yes
>     workgroup = 478FIRST
> # NETBIOS/DNS
>     netbios name = server1
>     name resolve order = wins lmhosts hosts bcast
>     dns proxy = yes
> # SMB/CIFS
>     smb ports = 139
>     server string = server1
> # AUTHENTICATION
>     interfaces = eth0
>     security = user
>     passdb backend = tdbsam
>     encrypt passwords = yes
> # LOGGING
>     log file = /var/log/samba/%m.log
>     max log size = 50
> # CUPS
>     load printers = yes
>     cups options = raw

> #[homes]
> #    comment = Home Directories
> #    read only = No
> #    browseable = No

> # [printers]
> #     comment = All Printers
> #     path = /usr/spool/samba
> #     printable = Yes
> #     browseable = No

> [PHFiles]
>     path = /home/server1/PHFiles
>     writable = yes
>     browseable = yes
>     available = yes
>     create mask = 0660
>     force create mode = 0660
>     directory mask = 0770
>     force directory mode = 0770
>     inherit acls = yes
>     inherit owner = yes
>     hosts allow = 127. 192.168.5.
>     map archive = no
>     map readonly = no
>     map acl inherit = yes

> [html]
>     path = /var/www/html
>     writable = yes
>     browseable = yes
>     available = yes
>     create mask = 0660
>     force create mode = 0660
>     directory mask = 0770
>     force directory mode = 0770
>     inherit acls = yes
>     inherit owner = yes
>     hosts allow = 127. 192.168.5.
>     map archive = no
>     map readonly = no
>     map acl inherit = yes

You still have not attached the avc messages from /var/log/audit/audit.log

You have these booleans to allow samba to share any dir read/only or
read/write
samba_export_all_ro --> off
samba_export_all_rw --> off

You also seem to be using public_content_rw_t, so you might want to turn on

allow_smbd_anon_write --> off

Which allows it to write to public_content_rw_t.

You could just add a custom module with
# grep smb /var/log/audit/audit.log | audit2allow -M mysmb
# semodule -i mysmb.pp

Without the audit.log we can not help you.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmVcZUACgkQrlYvE4MpobMShgCfaZ08o5LoZxMUeoN7BkxlcEfI
QPAAoKPWMn5EOcVicEPubt6d95PCKkl5
=/HDJ
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list