SELinux for Samba-3.0.20

Darwin H. Webb thethirddoorontheleft at verizon.net
Fri Sep 23 17:45:10 UTC 2005 

Daniel J Walsh wrote:
> Darwin H. Webb wrote:
>
>> Hello,
>>
>> I was wondering if the SELinux policy has been updated for sndb and 
>> nmbd in FC5 testing?
>> I have installed all of the Samba-3.0.20 versions and in FC4 and had 
>> to turn these check booxes off.
>>
>>  I tried the turn them on for FC5 devel testing but it seemed to 
>> still get errors.
>> If the policy does exist, would a relabel be the answer?
>>
>> Thank you,
>>
>> Darwin H. Webb
>>
> Please submit the AVC messages that you are seeing?
>
>
>
I turned on the check boxes for Samba and relabeled with a boot yesterday.
It looks ok now. but here is the final messages occurring in samba
and the only AVC mesages now are about authx.
Too many updates and reboots cleared the old messages since I haven't 
had the samba SELinux on for that for a while.
The old message was about unable to access one or more .DAT files.
Now I only get these double set messages about every half hour.
[2005/09/23 07:46:43, 0] lib/util_sock.c:get_peer_addr(1222)
  getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 07:46:43, 0] lib/util_sock.c:get_peer_addr(1222)
  getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 08:18:43, 0] lib/util_sock.c:get_peer_addr(1222)
  getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 08:18:43, 0] lib/util_sock.c:get_peer_addr(1222)
  getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 08:50:43, 0] lib/util_sock.c:get_peer_addr(1222)
  getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 08:50:43, 0] lib/util_sock.c:get_peer_addr(1222)
  getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 09:22:43, 0] lib/util_sock.c:get_peer_addr(1222)
  getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 09:22:43, 0] lib/util_sock.c:get_peer_addr(1222)
  getpeername failed. Error was Transport endpoint is not connected


 These may be part of the relabel (A datetime stamp would be very nice 
on the audit.log.)
So it looks like SELinux policy for samba is working ok.

Thanks,

Darwin
type=AVC msg=audit(1127494685.194:1748): avc:  denied  { relabelfrom } 
for  pid=23274 comm="su" name="0" dev=devpts ino=2 
scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 
tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1127494685.194:1748): avc:  denied  { relabelto } 
for  pid=23274 comm="su" name="0" dev=devpts ino=2 
scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 
tcontext=root:object_r:devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1127494685.194:1748): arch=40000003 syscall=226 
success=yes exit=0 a0=bfd3dd88 a1=7c869f a2=82c7378 a3=1a items=1 
pid=23274 auid=4294967295 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 
sgid=500 fsgid=500 comm="su" exe="/bin/su"
type=CWD msg=audit(1127494685.194:1748):  cwd="/home/darwinhwebb"
type=PATH msg=audit(1127494685.194:1748): item=0 name="/dev/pts/0" 
flags=1  inode=2 dev=00:0a mode=020620 ouid=500 ogid=5 rdev=88:00
type=AVC msg=audit(1127494685.198:1749): avc:  denied  { execute } for  
pid=23276 comm="su" name="xauth" dev=dm-0 ino=26980102 
scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 
tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1127494685.198:1749): avc:  denied  { read } for  
pid=23276 comm="su" name="xauth" dev=dm-0 ino=26980102 
scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 
tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1127494685.198:1749): arch=40000003 syscall=11 
success=yes exit=0 a0=bfd3fe63 a1=bfd3f55c a2=82c72b8 a3=bfd3f570 
items=2 pid=23276 auid=4294967295 uid=500 gid=500 euid=500 suid=500 
fsuid=500 egid=500 sgid=500 fsgid=500 comm="xauth" 
exe="/usr/X11R6/bin/xauth"
type=AVC_PATH msg=audit(1127494685.198:1749):  path="/usr/X11R6/bin/xauth"
type=CWD msg=audit(1127494685.198:1749):  cwd="/home/darwinhwebb"
type=PATH msg=audit(1127494685.198:1749): item=0 
name="/usr/X11R6/bin/xauth" flags=101  inode=26980102 dev=fd:00 
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1127494685.198:1749): item=1 flags=101  
inode=28508286 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127494685.278:1750): avc:  denied  { add_name } for  
pid=23274 comm="su" name=".xauthUxdapp" 
scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1127494685.278:1750): avc:  denied  { create } for  
pid=23274 comm="su" name=".xauthUxdapp" 
scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 
tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1127494685.278:1750): arch=40000003 syscall=5 
success=yes exit=3 a0=82c7a23 a1=c2 a2=180 a3=2d78cd items=1 pid=23274 
auid=4294967295 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 
fsgid=500 comm="su" exe="/bin/su"
type=CWD msg=audit(1127494685.278:1750):  cwd="/home/darwinhwebb"
type=PATH msg=audit(1127494685.278:1750): item=0 
name="/root/.xauthUxdapp" flags=310  inode=26312705 dev=fd:00 
mode=040750 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127494685.294:1751): avc:  denied  { setattr } for  
pid=23274 comm="su" name=".xauthUxdapp" dev=dm-0 ino=26312915 
scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 
tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1127494685.294:1751): arch=40000003 syscall=207 
success=yes exit=0 a0=3 a1=0 a2=0 a3=0 items=0 pid=23274 auid=4294967295 
uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 
comm="su" exe="/bin/su"

More information about the fedora-test-list mailing list