Setting Samba Boolean. Recommended method?

Paul Howarth paul at city-fan.org
Fri Jan 16 10:18:41 UTC 2009 

Richard Chapman wrote:
> I am running SElinux in permissive mode. I want to allow samba access to 
> user home directories.
> At setroubleshooters suggestion (see below) - I did the following at a 
> shell prompt:
> 
> Ø       *setsebool -P samba_enable_home_dirs=1
> 
> 
> *
> 
> This seemed to solve the problem. But after a reboot the denials are 
> back. I assume the boolean is not carried across a reboot.
> 
> If my assumption is correct - where is the recommended place to put the:
> 
> setsebool -P samba_enable_home_dirs=1
> 
> command?
> Should I create a local policy module and put it there - or is there 
> some other recommended place? If anyone can point me to a recommended 
> procedure ...
> 
> Thanks
> 
> Richard.

You've done what you needed to do already - the -P option makes the 
boolean persist across reboots.

> Summary:
> 
> SELinux is preventing the samba daemon from reading users' home 
> directories.

This summary is actually slightly misleading in this case.

> Detailed Description:
> 
> [SELinux is in permissive mode, the operation would have been denied but 
> was
> permitted due to permissive mode.]
> 
> SELinux has denied the samba daemon access to users' home directories. 
> Someone
> is attempting to access your home directories via your samba daemon. If 
> you only
> setup samba to share non-home directories, this probably signals a 
> intrusion
> attempt. For more information on SELinux integration with samba, look at 
> the
> samba_selinux man page. (man samba_selinux)
> 
> Allowing Access:
> 
> If you want samba to share home directories you need to turn on the
> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
> 
> The following command will allow this access:
> 
> setsebool -P samba_enable_home_dirs=1
> 
> Additional Information:
> 
> Source Context                system_u:system_r:smbd_t
> Target Context                user_u:object_r:spamassassin_home_t
> Target Objects                ./.spamassassin [ dir ]
> Source                        smbd
> Source Path                   /usr/sbin/smbd
> Port                          <Unknown>
> Host                          C5.aardvark.com.au
> Source RPM Packages           samba-3.0.28-1.el5_2.1
> Target RPM Packages          Policy RPM                    
> selinux-policy-2.4.6-203.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   samba_enable_home_dirs
> Host Name                     C5.aardvark.com.au
> Platform                      Linux C5.aardvark.com.au 
> 2.6.18-92.1.22.el5 #1 SMP
>                              Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count                   2
> First Seen                    Tue 13 Jan 2009 10:59:19 PM WST
> Last Seen                     Tue 13 Jan 2009 10:59:23 PM WST
> Local ID                      70f6525d-ce9d-40a4-a558-c3db06781ae9
> Line Numbers                
> Raw Audit Messages          
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
> dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
> dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { getattr } for  pid=8841 comm="smbd" 
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
> scontext=system_u:system_r:smbd_t:s0 
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { getattr } for  pid=8841 comm="smbd" 
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
> scontext=system_u:system_r:smbd_t:s0 
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
> 
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
> 
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

These denials are all for the ~/.spamassassin directory and its 
contents, not the home directory in general. Browsing the majority of 
the home directory would work just fine in enforcing mode.

Paul.

More information about the fedora-selinux-list mailing list