Samba AVC
Dominick Grift
domg472 at gmail.com
Wed Sep 30 11:18:17 UTC 2009
On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
>
> Hi,
>
> This is Centos 5.3 fully updated.
>
> Im getting the following error from setroubleshoot
>
> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
> (samba_log_t).
>
> when samba tries to rotate the log files.
>
> Running sealert I get the following ( edited )
>
> Summary:
>
> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
> (samba_log_t).
>
> Detailed Description:
>
> SELinux denied samba access to ./log.cs244-24.old. If you want to share this
> directory with samba it has to have a file context label of samba_share_t. If
> ^^^^^^^^^^^^^
> you did not intend to use ./log.cs244-24.old as a samba repository it could
> indicate either a bug or it could signal a intrusion attempt.
>
> Allowing Access:
>
> You can alter the file context by executing chcon -R -t samba_share_t
> './log.cs244-24.old' You must also change the default file context files on
> the
> system in order to preserve them even on a full relabel. "semanage fcontext -a
> -t samba_share_t './log.cs244-24.old'"
>
> The following command will allow this access:
>
> chcon -R -t samba_share_t './log.cs244-24.old'
>
> Additional Information:
>
> Source Context root:system_r:smbd_t
> Target Context root:object_r:samba_log_t
> Target Objects ./log.cs244-24.old [ file ]
> Source smbd
> Source Path /usr/sbin/smbd
> Port <Unknown>
> Host janus.x.y.z
> Source RPM Packages samba-3.0.33-3.7.el5_3.1
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-203.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name samba_share
> Host Name janus.x.y.z
> Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP
> Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64
> Alert Count 53
> First Seen Fri Sep 25 15:54:24 2009
> Last Seen Tue Sep 29 15:55:25 2009
> Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63
> Line Numbers
>
> Raw Audit Messages
>
> host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied {
> unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
> ino=164076 scontext=root:system_r:smbd_t:s0
> tcontext=root:object_r:samba_log_t:s0 tclass=file
>
> host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e
> syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0
> items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd"
> subj=root:system_r:smbd_t:s0 key=(null)
>
>
> log.cs244-24.old is a file not a directory and it's located in
> the /var/log/samba directory with permissions
> system_u:object_r:samba_log_t samba
>
> Any ideas,
Looks like a valid bug in selinux-policy to me:
echo "avc: denied {
unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
ino=164076 scontext=root:system_r:smbd_t:s0
tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M mysmbd; /usr/sbin/semodule -i mysmbd.pp
Should grant this particular access vector.
>
> Tony
>
> --
>
> Dept. of Comp. Sci.
> University of Limerick.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090930/4ce635ff/attachment.sig>
More information about the fedora-selinux-list
mailing list