Bug 1120331
Summary: | SELinux is preventing /usr/sbin/smbd from read access on the directory . | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | neil.boemio | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.0 | CC: | dapospis, gdeschner, jrivera, mmalik, neil.boemio, sbose | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-14.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-03-05 10:42:15 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
neil.boemio
2014-07-16 18:39:17 UTC
I tried creating and deleting a file (from my windows machine) and got this similar message: SELinux is preventing /usr/sbin/smbd from getattr access on the directory . FYI ... I was able to create and delete just fine. Not sure if this is related to the issue, but one thing I noticed is that when I create a file, it does not actually show the change on my windows machine. I have to refresh in order to see the file. Same thing with deleting. After I delete a file, it still shows in explorer until I refresh. This did not happen when I was on RHEL 6.5. It seems that maybe RHEL 7 (or Samba) is not automatically sending back the updated file/directory info to the client? Just a guess. Any ideas on this? (Please note that there is no samba4 component in RHEL7 anymore) Please check if all directories you are sharing with Samba are labeled public_content_t or public_content_rw_t, see 'man samba_selinux' for details. To find out the specific directory related to the SELinux message please take the inode number from the message (ino=135892241) and use this number with find on the filesystem on the device dm-0 (I guess it is your / file system), e.g: find / -inum 135892241 HTH So I took a look at two recent alerts I just got a few minutes ago and the inode numbers show the following: [root@intertest2nyc ~]# find / -inum 4026531857 /proc/irq [root@intertest2nyc ~]# find / -inum 1158 /sys/fs/pstore /sys/bus/node/devices But I'm not navigating to ANY of these directories. Why would it alert about them? I don't understand. ah, sorry, /proc and /sys are on different file systems, please retry with find / -xdev -inum 135892241 Btw, to check if dm-0 from the SELinux message is really your / file system you can call findmnt /dev/dm-0 [root@intertest2nyc /]# findmnt /dev/dm-0 TARGET SOURCE FSTYPE OPTIONS / /dev/mapper/rhel-root xfs rw,relatime,seclabel,attr2,inode64,noquota This comes up with no results: [root@intertest2nyc /]# find / -xdev -inum 298249 [root@intertest2nyc /]# Reassigning to selinux-policy to see if they have additional ideas about how to figure out which directory causes the issue. Why smbd needs to access /etc/selinux/targeted/contexts directory ? # matchpathcon /etc/selinux/targeted/contexts/ /etc/selinux/targeted/contexts system_u:object_r:default_context_t:s0 # sesearch -s smbd_t -t default_context_t -c dir -p read -A -C # Can you please attach your smb.conf file. Are you sharing or /etc or sub-directories of /etc by chance? Not sharing these. Attached smb.conf Created attachment 944324 [details]
smb.conf
Thank you, so you are basically exporting home directories. I assume you have called 'setsebool -P samba_enable_home_dirs on' as recommended in the header of the smb.conf. Can you check if there are files in one of the home directories with a default_context_t label by calling find /your/home/directory/path -context '*default_context_t*' I actually didn't have samba_enable_home_dirs set. But I set that and I still get the alerts. One thing I should have mentioned which is probably not a usual setup, is that for my account, I have my home directory set to / so that I can get to everything on the server. Maybe this has something to do with the alerts? Is there a different way to configure this which would still allow me access to all directories? [root@interdevnyc /]# find / -context '*default_context_t*' /etc/selinux/targeted/contexts /etc/selinux/targeted/contexts/customizable_types /etc/selinux/targeted/contexts/dbus_contexts /etc/selinux/targeted/contexts/default_contexts /etc/selinux/targeted/contexts/default_type /etc/selinux/targeted/contexts/failsafe_context /etc/selinux/targeted/contexts/initrc_context /etc/selinux/targeted/contexts/lxc_contexts /etc/selinux/targeted/contexts/removable_context /etc/selinux/targeted/contexts/securetty_types /etc/selinux/targeted/contexts/sepgsql_contexts /etc/selinux/targeted/contexts/systemd_contexts /etc/selinux/targeted/contexts/userhelper_context /etc/selinux/targeted/contexts/users /etc/selinux/targeted/contexts/users/guest_u /etc/selinux/targeted/contexts/users/root /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/sysadm_u /etc/selinux/targeted/contexts/users/unconfined_u /etc/selinux/targeted/contexts/users/user_u /etc/selinux/targeted/contexts/users/xguest_u /etc/selinux/targeted/contexts/virtual_domain_context /etc/selinux/targeted/contexts/virtual_image_context /etc/selinux/targeted/contexts/x_contexts /etc/selinux/targeted/contexts/netfilter_contexts This is indeed special and most probably the cause of the SELinux alerts you are seeing. Even if you do not access those files directly there might be task running on the client, e.g. indexers, which crawl through all directories. Please try to set the SELinux boolean samba_export_all_ro or samba_export_all_rw as mentioned in the header of smb.conf or in the samba_selinux man page. I already have samba_export_all_rw turned on. We should dontaudit them. commit 15647b4c9570dbd9e81d96bcb95ae4bb7e40d3f1 Author: Miroslav Grepl <mgrepl> Date: Mon Oct 13 12:19:31 2014 +0200 Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. commit b93113879fe766cdc37878bf44afe466874e3981 Author: Miroslav Grepl <mgrepl> Date: Mon Dec 1 10:37:27 2014 +0100 dontaudit list security dirs for samba domain. commit 478d4843a664fcb34c5399048a83719db0608769 Author: Miroslav Grepl <mgrepl> Date: Fri Dec 12 15:58:56 2014 +0100 Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |