samba nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)
Dominick Grift
domg472 at gmail.com
Sun Feb 22 11:29:40 UTC 2009
On Sun, 2009-02-22 at 11:38 +0100, Per Sjoholm wrote:
> On CentOS 5.2
> The server is answering on different netbios names.
> SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)
> in smb.conf the include files is in 2 halves. One for global config and one for shares/aliases
> I have include = /etc/samba/smb.%L.alias to get differnt shares/alias depending netbios name
> the alias contains
> [name]
> ...
> [name2]
> ...
>
> I link asen20 to ASEN20 to allow netbios name
> # ls -Z /etc/samba/smb*
> -r--r--r-- root root root:object_r:samba_etc_t /etc/samba/smb.asen20.alias
> lrwxrwxrwx root root root:object_r:samba_etc_t /etc/samba/smb.ASEN20.alias -> smb.asen20.alias
>
> /var/log/message
> Feb 22 11:18:29 dox nmbd[4689]: become_domain_master_browser_bcast: querying subnet 192.168.1.6 for domain master
> browser on workgroup OASEN
> Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote
> clients. For complete SELinux messages. run sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> Feb 22 11:18:31 dox last message repeated 2 times
> Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t). For
> complete SELinux messages. run sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
>
> setting setsebool -P samba_export_all_ro=1 as advised in sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> does not help
>
> # sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
>
> Summary:
>
> SELinux is preventing the samba daemon from serving r/o local files to remote
> clients.
>
> Detailed Description:
>
> SELinux has preventing the samba daemon (smbd) from reading files on the local
> system. If you have not exported these file systems, this could signals an
> intrusion.
>
> Allowing Access:
>
> If you want to export file systems using samba you need to turn on the
> samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
>
> The following command will allow this access:
>
> setsebool -P samba_export_all_ro=1
>
> Additional Information:
>
> Source Context root:system_r:smbd_t
> Target Context root:object_r:samba_etc_t
> Target Objects smb.ASEN20.alias [ lnk_file ]
> Source smbd
> Source Path /usr/sbin/smbd
> Port <Unknown>
> Host dox.oasen.dyndns.org
> Source RPM Packages samba-3.0.28-1.el5_2.1
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name samba_export_all_ro
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 6
> First Seen Sun Feb 22 11:01:48 2009
> Last Seen Sun Feb 22 11:18:29 2009
> Local ID 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> Line Numbers
>
> Raw Audit Messages
>
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.562:32001): avc: denied { read } for pid=4685 comm="smbd"
> name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_etc_t:s0
> tclass=lnk_file
try this:
echo "type=AVC msg=audit(1235297909.562:32001): avc: denied { read }
for pid=4685 comm="smbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_etc_t:s0
tclass=lnk_file" | audit2allow -M mysmbd; sudo /usr/sbin/semodule -i
mysmbd.pp
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.562:32001): arch=c000003e syscall=4 success=no exit=-13
> a0=7fffa6dcac10 a1=7fffa6dcab60 a2=7fffa6dcab60 a3=2b560ee731f0 items=0 ppid=4684 pid=4685 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
> key=(null)
>
>
> # sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
>
> Summary:
>
> SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t).
>
> Detailed Description:
>
> SELinux denied access requested by nmbd. It is not expected that this access is
> required by nmbd and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for smb.ASEN20.alias,
>
> restorecon -v 'smb.ASEN20.alias'
>
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context root:system_r:nmbd_t
> Target Context root:object_r:samba_etc_t
> Target Objects smb.ASEN20.alias [ lnk_file ]
> Source nmbd
> Source Path /usr/sbin/nmbd
> Port <Unknown>
> Host dox.oasen.dyndns.org
> Source RPM Packages samba-3.0.28-1.el5_2.1
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 6
> First Seen Sun Feb 22 11:01:48 2009
> Last Seen Sun Feb 22 11:18:29 2009
> Local ID 350c8d95-e127-4a23-b2a1-455771106aeb
> Line Numbers
>
> Raw Audit Messages
>
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.628:32004): avc: denied { read } for pid=4688 comm="nmbd"
> name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:nmbd_t:s0 tcontext=root:object_r:samba_etc_t:s0
> tclass=lnk_file
And this:
echo "type=AVC msg=audit(1235297909.628:32004): avc: denied { read }
for pid=4688 comm="nmbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782
scontext=root:system_r:nmbd_t:s0 tcontext=root:object_r:samba_etc_t:s0
tclass=lnk_file" | audit2allow -M mynmbd; sudo /usr/sbin/semodule -i
mynmbd.pp
(mind the line breaks)
> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.628:32004): arch=c000003e syscall=4 success=no exit=-13
> a0=7fffca8af300 a1=7fffca8af250 a2=7fffca8af250 a3=0 items=0 ppid=4687 pid=4688 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)
>
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list