[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Samba AVC



On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
> 
> Hi,
> 
> This is Centos 5.3 fully updated.
> 
> Im getting the following error from setroubleshoot
> 
>     SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
>     (samba_log_t).
> 
> when samba tries to rotate the log files.
> 
> Running sealert I get the following ( edited )
> 
> Summary:
> 
> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old 
> (samba_log_t).
> 
> Detailed Description:
> 
> SELinux denied samba access to ./log.cs244-24.old. If you want to share this
> directory with samba it has to have a file context label of samba_share_t. If
> ^^^^^^^^^^^^^
> you did not intend to use ./log.cs244-24.old as a samba repository it could
> indicate either a bug or it could signal a intrusion attempt.
> 
> Allowing Access:
> 
> You can alter the file context by executing chcon -R -t samba_share_t
> './log.cs244-24.old' You must also change the default file context files on 
> the
> system in order to preserve them even on a full relabel. "semanage fcontext -a
> -t samba_share_t './log.cs244-24.old'"
> 
> The following command will allow this access:
> 
> chcon -R -t samba_share_t './log.cs244-24.old'
> 
> Additional Information:
> 
> Source Context                root:system_r:smbd_t
> Target Context                root:object_r:samba_log_t
> Target Objects                ./log.cs244-24.old [ file ]
> Source                        smbd
> Source Path                   /usr/sbin/smbd
> Port                          <Unknown>
> Host                          janus.x.y.z
> Source RPM Packages           samba-3.0.33-3.7.el5_3.1
> Target RPM Packages           
> Policy RPM                    selinux-policy-2.4.6-203.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   samba_share
> Host Name                     janus.x.y.z
> Platform                      Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP
>                               Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64
> Alert Count                   53
> First Seen                    Fri Sep 25 15:54:24 2009
> Last Seen                     Tue Sep 29 15:55:25 2009
> Local ID                      e4426abc-3b0b-4df2-a380-3f0fba344c63
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc:  denied  { 
> unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 
> ino=164076 scontext=root:system_r:smbd_t:s0 
> tcontext=root:object_r:samba_log_t:s0 tclass=file
> 
> host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e 
> syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0 
> items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd" 
> subj=root:system_r:smbd_t:s0 key=(null)
> 
> 
> log.cs244-24.old is a file not a directory and it's located in 
> the /var/log/samba directory with permissions
>        system_u:object_r:samba_log_t    samba
> 
> Any ideas,

Looks like a valid bug in selinux-policy to me:

echo "avc:  denied  { 
unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 
ino=164076 scontext=root:system_r:smbd_t:s0 
tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M mysmbd; /usr/sbin/semodule -i mysmbd.pp

Should grant this particular access vector.

> 
> Tony
> 
> -- 
> 
> Dept. of Comp. Sci.
> University of Limerick.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: pgpGAqKwGYIJj.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]