Conflicting contexts for httpd and Samba

Trevor Hemsley trevor.hemsley at codefarm.com
Fri Aug 7 10:24:29 UTC 2009 

I have a machine where I am trying to turn on selinux in enforcing mode
- currently running in permissive mode while I sort out what's likely to
stop working. On this machine I have both Samba and Apache. The Samba
server has shares on a disk partition that's mounted on /share and I was
getting AVCs for this so I used semanage and restorecon to mark all
directories on there as context samba_share_t. Works great except that
one directory on that share is also used by Apache and then I started
getting AVCs for that dir whenever someone tried to access its content
over http. Having done some reading I then tried to mark that directory
as context public_content_t and that gets rid of the AVCs for http but I
get them back for the Samba server instead :(

The directory in question that resides on the /share partition is used
by the Sophos Anti-Virus Enterprise Console to keep copies of all its
install materials and locally cached copies of all the AV definition
files. We have a Windows XP machine that runs the Enterprise Console and
this updates the AV definitions on the Samba share about every 5 minutes
- so Samba needs to have update access to the directory in question.

For users outside the main office we also make the Sophos AV definitions
available over https so Apache needs to be able to read the same
directory that Samba can write to. Both Samba and Apache processes are
running on the same machine and are accessing /share as a local file
system. I can see booleans that let Apache access Samba shares as
network drives but not as local file systems.

These are the sort of AVCs I am currently getting and I'm now out of
ideas about how to solve this. Does anyone have any suggestions please?

[root at here manifests]# ausearch -i -a 12027
----
type=SYSCALL msg=audit(07/08/09 09:14:50.432:12027) : arch=x86_64
syscall=open success=yes exit=41 a0=7fff3638c690 a1=42 a2=1f4
a3=4a7bf08a items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1
gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1
egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295
comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc:  denied  { create
} for  pid=460 comm=smbd name=pws-bcr.ide
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc:  denied  {
add_name } for  pid=460 comm=smbd name=pws-bcr.ide
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc:  denied  { write
} for  pid=460 comm=smbd name=savxp dev=drbd3 ino=2293891
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
[root at here manifests]# ausearch -i -a 12028
----
type=SYSCALL msg=audit(07/08/09 09:14:50.434:12028) : arch=x86_64
syscall=ftruncate success=yes exit=0 a0=29 a1=0 a2=2ad636132320 a3=1
items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1 gid=root
euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1 egid=Domain Users
sgid=root fsgid=Domain Users tty=(none) ses=4294967295 comm=smbd
exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:50.434:12028) : avc:  denied  { write
} for  pid=460 comm=smbd name=pws-bcr.ide dev=drbd3 ino=2850949
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
[root at here manifests]# ausearch -i -a 12029
----
type=SYSCALL msg=audit(07/08/09 09:14:50.440:12029) : arch=x86_64
syscall=utimes success=yes exit=0 a0=7fff3638b4d0 a1=7fff3638a9a0
a2=71be1 a3=0 items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1
gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1
egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295
comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:50.440:12029) : avc:  denied  {
setattr } for  pid=460 comm=smbd name=pws-bcr.ide dev=drbd3 ino=2850949
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
[root at here manifests]# ausearch -i -a 12030
----
type=SYSCALL msg=audit(07/08/09 09:14:52.556:12030) : arch=x86_64
syscall=unlink success=yes exit=0 a0=2ad63619e430 a1=2ad63619e430 a2=0
a3=2ad623feab20 items=0 ppid=5277 pid=460 auid=unset
uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root
fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users
tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd
subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:52.556:12030) : avc:  denied  { unlink
} for  pid=460 comm=smbd name=cidsync.upd dev=drbd3 ino=1572898
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=file
type=AVC msg=audit(07/08/09 09:14:52.556:12030) : avc:  denied  {
remove_name } for  pid=460 comm=smbd name=cidsync.upd dev=drbd3
ino=1572898 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
[root at here manifests]# ausearch -i -a 12031
----
type=SYSCALL msg=audit(07/08/09 09:14:52.559:12031) : arch=x86_64
syscall=stat success=yes exit=0 a0=7fff3638adb8 a1=7fff3638b1a0
a2=7fff3638b1a0 a3=0 items=0 ppid=5277 pid=460 auid=unset
uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root
fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users
tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd
subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:52.559:12031) : avc:  denied  {
getattr } for  pid=460 comm=smbd path=/codefarm/backups dev=dm-15 ino=2
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(07/08/09 09:14:52.559:12031) : avc:  denied  { search
} for  pid=460 comm=smbd name=codefarm dev=dm-0 ino=819201
scontext=system_u:system_r:smbd_t:s0
tcontext=user_u:object_r:default_t:s0 tclass=dir
[root at here manifests]# ausearch -i -a 12032
----
type=SYSCALL msg=audit(07/08/09 09:14:52.559:12032) : arch=x86_64
syscall=stat success=yes exit=0 a0=2ad636320285 a1=7fff3638ae60
a2=7fff3638ae60 a3=0 items=0 ppid=5277 pid=460 auid=unset
uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root
fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users
tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd
subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(07/08/09 09:14:52.559:12032) : avc:  denied  {
getattr } for  pid=460 comm=smbd path=/proc/sys/fs/binfmt_misc
dev=binfmt_misc ino=6477 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir
[root at here manifests]#

-- 

Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* Brighton, UK   

OFFICE 	+44 (0) 1273 666 350
FAX 	+44 (0) 1273 666 351

.................................................
www.calypso.com

This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.

* P * /*/ Please consider the environment before printing this e-mail /*/

More information about the fedora-selinux-list mailing list