Setting Samba Boolean. Recommended method?

Richard Chapman rchapman at aardvark.com.au
Fri Jan 16 23:22:52 UTC 2009 

Thanks Paul. Your observation that the problem is the ~/.spamassassin 
directory is very enlightening.
Nonetheless - I imagine that in enforcing mode - I will get lots of 
errors - and possibly samba delays - so it probably still needs fixing.
Can y0u suggest why I might have this problem - and how best to fix it?

Richard.

Paul Howarth wrote:
> Richard Chapman wrote:
>> I am running SElinux in permissive mode. I want to allow samba access 
>> to user home directories.
>> At setroubleshooters suggestion (see below) - I did the following at 
>> a shell prompt:
>>
>> Ø       *setsebool -P samba_enable_home_dirs=1
>>
>>
>> *
>>
>> This seemed to solve the problem. But after a reboot the denials are 
>> back. I assume the boolean is not carried across a reboot.
>>
>> If my assumption is correct - where is the recommended place to put the:
>>
>> setsebool -P samba_enable_home_dirs=1
>>
>> command?
>> Should I create a local policy module and put it there - or is there 
>> some other recommended place? If anyone can point me to a recommended 
>> procedure ...
>>
>> Thanks
>>
>> Richard.
>
> You've done what you needed to do already - the -P option makes the 
> boolean persist across reboots.
>
>> Summary:
>>
>> SELinux is preventing the samba daemon from reading users' home 
>> directories.
>
> This summary is actually slightly misleading in this case.
>
>> Detailed Description:
>>
>> [SELinux is in permissive mode, the operation would have been denied 
>> but was
>> permitted due to permissive mode.]
>>
>> SELinux has denied the samba daemon access to users' home 
>> directories. Someone
>> is attempting to access your home directories via your samba daemon. 
>> If you only
>> setup samba to share non-home directories, this probably signals a 
>> intrusion
>> attempt. For more information on SELinux integration with samba, look 
>> at the
>> samba_selinux man page. (man samba_selinux)
>>
>> Allowing Access:
>>
>> If you want samba to share home directories you need to turn on the
>> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
>>
>> The following command will allow this access:
>>
>> setsebool -P samba_enable_home_dirs=1
>>
>> Additional Information:
>>
>> Source Context                system_u:system_r:smbd_t
>> Target Context                user_u:object_r:spamassassin_home_t
>> Target Objects                ./.spamassassin [ dir ]
>> Source                        smbd
>> Source Path                   /usr/sbin/smbd
>> Port                          <Unknown>
>> Host                          C5.aardvark.com.au
>> Source RPM Packages           samba-3.0.28-1.el5_2.1
>> Target RPM Packages          Policy RPM                    
>> selinux-policy-2.4.6-203.el5
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Permissive
>> Plugin Name                   samba_enable_home_dirs
>> Host Name                     C5.aardvark.com.au
>> Platform                      Linux C5.aardvark.com.au 
>> 2.6.18-92.1.22.el5 #1 SMP
>>                              Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count                   2
>> First Seen                    Tue 13 Jan 2009 10:59:19 PM WST
>> Last Seen                     Tue 13 Jan 2009 10:59:23 PM WST
>> Local ID                      70f6525d-ce9d-40a4-a558-c3db06781ae9
>> Line Numbers                Raw Audit Messages          
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): 
>> avc:  denied  { search } for  pid=8841 comm="smbd" 
>> name=".spamassassin" dev=dm-0 ino=26155019 
>> scontext=system_u:system_r:smbd_t:s0 
>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): 
>> avc:  denied  { search } for  pid=8841 comm="smbd" 
>> name=".spamassassin" dev=dm-0 ino=26155019 
>> scontext=system_u:system_r:smbd_t:s0 
>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): 
>> avc:  denied  { getattr } for  pid=8841 comm="smbd" 
>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
>> scontext=system_u:system_r:smbd_t:s0 
>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): 
>> avc:  denied  { getattr } for  pid=8841 comm="smbd" 
>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
>> scontext=system_u:system_r:smbd_t:s0 
>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>>
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>
> These denials are all for the ~/.spamassassin directory and its 
> contents, not the home directory in general. Browsing the majority of 
> the home directory would work just fine in enforcing mode.
>
> Paul.
>

More information about the fedora-selinux-list mailing list