samba nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)
Per Sjoholm
Per.t.Sjoholm at flysta.net
Sun Feb 22 10:38:38 UTC 2009
On CentOS 5.2
The server is answering on different netbios names.
SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)
in smb.conf the include files is in 2 halves. One for global config and one for shares/aliases
I have include = /etc/samba/smb.%L.alias to get differnt shares/alias depending netbios name
the alias contains
[name]
...
[name2]
...
I link asen20 to ASEN20 to allow netbios name
# ls -Z /etc/samba/smb*
-r--r--r-- root root root:object_r:samba_etc_t /etc/samba/smb.asen20.alias
lrwxrwxrwx root root root:object_r:samba_etc_t /etc/samba/smb.ASEN20.alias -> smb.asen20.alias
/var/log/message
Feb 22 11:18:29 dox nmbd[4689]: become_domain_master_browser_bcast: querying subnet 192.168.1.6 for domain master
browser on workgroup OASEN
Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote
clients. For complete SELinux messages. run sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
Feb 22 11:18:31 dox last message repeated 2 times
Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t). For
complete SELinux messages. run sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
setting setsebool -P samba_export_all_ro=1 as advised in sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
does not help
# sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
Summary:
SELinux is preventing the samba daemon from serving r/o local files to remote
clients.
Detailed Description:
SELinux has preventing the samba daemon (smbd) from reading files on the local
system. If you have not exported these file systems, this could signals an
intrusion.
Allowing Access:
If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
The following command will allow this access:
setsebool -P samba_export_all_ro=1
Additional Information:
Source Context root:system_r:smbd_t
Target Context root:object_r:samba_etc_t
Target Objects smb.ASEN20.alias [ lnk_file ]
Source smbd
Source Path /usr/sbin/smbd
Port <Unknown>
Host dox.oasen.dyndns.org
Source RPM Packages samba-3.0.28-1.el5_2.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name samba_export_all_ro
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 6
First Seen Sun Feb 22 11:01:48 2009
Last Seen Sun Feb 22 11:18:29 2009
Local ID 55450fa9-b52d-4224-ad52-58b0b9fc4b76
Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.562:32001): avc: denied { read } for pid=4685 comm="smbd"
name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_etc_t:s0
tclass=lnk_file
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.562:32001): arch=c000003e syscall=4 success=no exit=-13
a0=7fffa6dcac10 a1=7fffa6dcab60 a2=7fffa6dcab60 a3=2b560ee731f0 items=0 ppid=4684 pid=4685 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
key=(null)
# sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
Summary:
SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t).
Detailed Description:
SELinux denied access requested by nmbd. It is not expected that this access is
required by nmbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for smb.ASEN20.alias,
restorecon -v 'smb.ASEN20.alias'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:nmbd_t
Target Context root:object_r:samba_etc_t
Target Objects smb.ASEN20.alias [ lnk_file ]
Source nmbd
Source Path /usr/sbin/nmbd
Port <Unknown>
Host dox.oasen.dyndns.org
Source RPM Packages samba-3.0.28-1.el5_2.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 6
First Seen Sun Feb 22 11:01:48 2009
Last Seen Sun Feb 22 11:18:29 2009
Local ID 350c8d95-e127-4a23-b2a1-455771106aeb
Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.628:32004): avc: denied { read } for pid=4688 comm="nmbd"
name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:nmbd_t:s0 tcontext=root:object_r:samba_etc_t:s0
tclass=lnk_file
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.628:32004): arch=c000003e syscall=4 success=no exit=-13
a0=7fffca8af300 a1=7fffca8af250 a2=7fffca8af250 a3=0 items=0 ppid=4687 pid=4688 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)
More information about the fedora-selinux-list
mailing list