487021 – Selinux prevents Samba from rotating log files.

Bug 487021 - Selinux prevents Samba from rotating log files.

Summary: Selinux prevents Samba from rotating log files.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	5.3
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-23 17:44 UTC by Cale Fairchild
Modified:	2012-10-15 13:56 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-02 08:00:01 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2009:1242	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2009-09-01 08:32:34 UTC

Description Cale Fairchild 2009-02-23 17:44:19 UTC

Description of problem:

It appears that selinux is preventing the Samba daemon from rotating the log files in /var/log/samba. I have not verified what happens once a file is not able to rotate as the AVC filed on the directory access and therefore did not list the name of the file it was trying to rotate.

Version-Release number of selected component (if applicable):

Currently running:
  selinux-policy-targeted-2.4.6-203.el5
  samba-3.0.33-3.7.el5

How reproducible:
  Always active

Steps to Reproduce:

1. Run Samba with selinux enforcing
  
Actual results:

auditd records an AVC denied error as follows:

type=AVC msg=audit(1235182541.483:5744): avc:  denied  { rename } for  pid=14959 comm="smbd" name="log.139.57.100.40" dev=sda1 ino=3963459 scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:samba_log_t:s0 tclass=file
type=SYSCALL msg=audit(1235182541.483:5744): arch=c000003e syscall=82 success=no exit=-13 a0=2ba2379c41e0 a1=7fff736a9f70 a2=24 a3=30342e3030312e37 items=0 ppid=3962 pid=14959 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

Expected results:

Old log rotated and saved for reference, new log started.

Additional info:

Looking at the last time I had a proper log rotation in /var/log/samba I would guess that this has been a problem ever since I went to EL5 back in July. Here is the selinux module that I am currently using to work around this problem. It seems to be working well.

module sambalogs 1.0;

require {
        type file_t;
        type smbd_t;
        type samba_log_t;
        class file { rename unlink };
        class dir getattr;
}

#============= smbd_t ==============
allow smbd_t file_t:dir getattr;
allow smbd_t samba_log_t:file { rename unlink };

Comment 1 Daniel Walsh 2009-02-23 18:36:26 UTC

allow smbd_t file_t:dir getattr;

You should never need this since this is a unlabeled file on the machine.

THe other samba_log_t bug is fixed in selinux-policy-2.4.6-215.el5

Comment 2 Cale Fairchild 2009-02-24 00:42:09 UTC

Thanks for pointing that out. I have figured out where audit2allow got that rule from and it exposed a mislabeled directory.

Comment 9 errata-xmlrpc 2009-09-02 08:00:01 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html

Note You need to log in before you can comment on or make changes to this bug.