Samba AVC

yersinia yersinia.spiros at gmail.com
Wed Sep 30 12:37:22 UTC 2009 

On Wed, Sep 30, 2009 at 2:17 PM, Tony Molloy <tony.molloy at ul.ie> wrote:

> On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:
> > On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
> > > Hi,
> > >
> > > This is Centos 5.3 fully updated.
> > >
> > > Im getting the following error from setroubleshoot
> > >
> > >     SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
> > >     (samba_log_t).
> > >
> > > when samba tries to rotate the log files.
> > >
> > > Running sealert I get the following ( edited )
> > >
> > > Summary:
> > >
> > > SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
> > > (samba_log_t).
> > >
> > > Detailed Description:
> > >
> > > SELinux denied samba access to ./log.cs244-24.old. If you want to share
> > > this directory with samba it has to have a file context label of
> > > samba_share_t. If ^^^^^^^^^^^^^
> > > you did not intend to use ./log.cs244-24.old as a samba repository it
> > > could indicate either a bug or it could signal a intrusion attempt.
> > >
> > > Allowing Access:
> > >
> > > You can alter the file context by executing chcon -R -t samba_share_t
> > > './log.cs244-24.old' You must also change the default file context
> files
> > > on the
> > > system in order to preserve them even on a full relabel. "semanage
> > > fcontext -a -t samba_share_t './log.cs244-24.old'"
> > >
> > > The following command will allow this access:
> > >
> > > chcon -R -t samba_share_t './log.cs244-24.old'
> > >
> > > Additional Information:
> > >
> > > Source Context                root:system_r:smbd_t
> > > Target Context                root:object_r:samba_log_t
> > > Target Objects                ./log.cs244-24.old [ file ]
> > > Source                        smbd
> > > Source Path                   /usr/sbin/smbd
> > > Port                          <Unknown>
> > > Host                          janus.x.y.z
> > > Source RPM Packages           samba-3.0.33-3.7.el5_3.1
> > > Target RPM Packages
> > > Policy RPM                    selinux-policy-2.4.6-203.el5
> > > Selinux Enabled               True
> > > Policy Type                   targeted
> > > MLS Enabled                   True
> > > Enforcing Mode                Enforcing
> > > Plugin Name                   samba_share
> > > Host Name                     janus.x.y.z
> > > Platform                      Linux janus.x.y.z 2.6.18-128.7.1.el5 #1
> SMP
> > >                               Mon Aug 24 08:21:56 EDT 2009 x86_64
> x86_64
> > > Alert Count                   53
> > > First Seen                    Fri Sep 25 15:54:24 2009
> > > Last Seen                     Tue Sep 29 15:55:25 2009
> > > Local ID                      e4426abc-3b0b-4df2-a380-3f0fba344c63
> > > Line Numbers
> > >
> > > Raw Audit Messages
> > >
> > > host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc:  denied
> > > { unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
> > > ino=164076 scontext=root:system_r:smbd_t:s0
> > > tcontext=root:object_r:samba_log_t:s0 tclass=file
> > >
> > > host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641):
> > > arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220
> > > a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0
> gid=0
> > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675
> > > comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
> key=(null)
> > >
> > >
> > > log.cs244-24.old is a file not a directory and it's located in
> > > the /var/log/samba directory with permissions
> > >        system_u:object_r:samba_log_t    samba
> > >
> > > Any ideas,
> >
> > Looks like a valid bug in selinux-policy to me:
> >
> > echo "avc:  denied  {
> > unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
> > ino=164076 scontext=root:system_r:smbd_t:s0
> > tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M
> mysmbd;
> > /usr/sbin/semodule -i mysmbd.pp
> >
> > Should grant this particular access vector.
> >
>
> Thanks I generated local policy to allow it.
>
> In origin what is the result of this. In my system

sesearch -s smbd_t -c file --allow | grep samba_log_t
   allow smbd_t samba_log_t : file { ioctl read write create getattr setattr
lock append unlink link rename };
   allow smbd_t samba_log_t : file { ioctl read getattr lock };
   allow smbd_t samba_log_t : file { ioctl read write create getattr setattr
lock append unlink link rename };

Because i have no problem and in fact unlink is allowed.

Are you sure to have selinux-policy-targeted installed ?

Regards


> Regards,
>
> Tony
> > > Tony
> > >
> > > --
> > >
> > > Dept. of Comp. Sci.
> > > University of Limerick.
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
> --
>
> Dept. of Comp. Sci.
> University of Limerick.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090930/3647366e/attachment.htm>

More information about the fedora-selinux-list mailing list