Description of problem:
SELinux is preventing /usr/sbin/smbd from execute_no_trans access on the file /usr/sbin/smbd
See AVC messages from /var/log/audit/audit.log below:
######
type=AVC msg=audit(1429776701.633:1187): avc: denied { execute_no_trans } for pid=9815 comm="S30samba-stop.s" path="/usr/sbin/smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1429776701.633:1187): arch=c000003e syscall=59 success=yes exit=0 a0=fe9ae0 a1=fe85f0 a2=fe8160 a3=18 items=0 ppid=9814 pid=9815 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
######
Version-Release number of selected component (if applicable):
#####
glusterfs-fuse-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-cli-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-server-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-libs-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-api-3.7dev-0.1009.git8b987be.el6.x86_64
samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64
#####
How reproducible: Always
Steps to Reproduce:
1. Install the RHEL6 glusterfs 3.7 nightly builds from http://download.gluster.org/pub/gluster/glusterfs/nightly/glusterfs-3.7/epel-6-x86_64/
2. Create a volume and start it
3. Check for the AVC's in /var/log/audit/audit.log
.
Actual results: Above mentioned AVC is seen in the logs.
Expected results: If you want to ignore smbd trying to execute_no_trans access the smbd file, because you believe it should not need this access, please consider fixing it.
Install RHEL6.7
Install gluster rpms for RHGS3.1
Install samba rpms for RHGS3.1
create volume and start the volume
Start smb service
glusterfs-3.7.0-3.el6rhs.x86_64
samba-4.1.17-5.el6rhs.x86_64
selinux-policy-3.7.19-271.el6.noarch
selinux-policy-targeted-3.7.19-271.el6.noarch
selinux-policy-mls-3.7.19-271.el6.noarch
There are no AVC's seen in audit log after starting the volume and starting smb service.Moving the BZ to verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHSA-2015-1495.html