Setting Samba Boolean. Recommended method?

Richard Chapman rchapman at aardvark.com.au
Fri Jan 16 03:36:22 UTC 2009 

I am running SElinux in permissive mode. I want to allow samba access to 
user home directories.
At setroubleshooters suggestion (see below) - I did the following at a 
shell prompt:

Ø       *setsebool -P samba_enable_home_dirs=1


*

This seemed to solve the problem. But after a reboot the denials are 
back. I assume the boolean is not carried across a reboot.

If my assumption is correct - where is the recommended place to put the:

setsebool -P samba_enable_home_dirs=1

command?
Should I create a local policy module and put it there - or is there 
some other recommended place? If anyone can point me to a recommended 
procedure ...

Thanks

Richard.


Summary:

SELinux is preventing the samba daemon from reading users' home directories.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied the samba daemon access to users' home directories. 
Someone
is attempting to access your home directories via your samba daemon. If 
you only
setup samba to share non-home directories, this probably signals a intrusion
attempt. For more information on SELinux integration with samba, look at the
samba_selinux man page. (man samba_selinux)

Allowing Access:

If you want samba to share home directories you need to turn on the
samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"

The following command will allow this access:

setsebool -P samba_enable_home_dirs=1

Additional Information:

Source Context                system_u:system_r:smbd_t
Target Context                user_u:object_r:spamassassin_home_t
Target Objects                ./.spamassassin [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          C5.aardvark.com.au
Source RPM Packages           samba-3.0.28-1.el5_2.1
Target RPM Packages          
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   samba_enable_home_dirs
Host Name                     C5.aardvark.com.au
Platform                      Linux C5.aardvark.com.au 
2.6.18-92.1.22.el5 #1 SMP
                              Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 13 Jan 2009 10:59:19 PM WST
Last Seen                     Tue 13 Jan 2009 10:59:23 PM WST
Local ID                      70f6525d-ce9d-40a4-a558-c3db06781ae9
Line Numbers                 

Raw Audit Messages           

host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir

host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir

host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
denied  { getattr } for  pid=8841 comm="smbd" 
path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
scontext=system_u:system_r:smbd_t:s0 
tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file

host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
denied  { getattr } for  pid=8841 comm="smbd" 
path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
scontext=system_u:system_r:smbd_t:s0 
tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file

host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

More information about the fedora-selinux-list mailing list