Bug 144959

Summary: Samba capability issues
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-20 18:37:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivan Gyurdiev 2005-01-13 00:30:40 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
audit(1105575656.361:0): avc:  denied  { dac_override } for  pid=6705
exe=/usr/sbin/smbd capability=1 scontext=user_u:system_r:smbd_t
tcontext=user_u:system_r:smbd_t tclass=capability

audit(1105575656.361:0): avc:  denied  { dac_read_search } for 
pid=6705 exe=/usr/sbin/smbd capability=2
scontext=user_u:system_r:smbd_t tcontext=user_u:system_r:smbd_t
tclass=capability

===========

I think I'll go give strict policy another shot... let's 
see how that goes...




Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.20.1-3

How reproducible:
Always

Steps to Reproduce:
1. See summary    

Additional info:
Comment 1 Ivan Gyurdiev 2005-01-13 00:34:23 UTC 
"I think I'll go give strict policy another shot... let's 
see how that goes..."

Maybe not - where are all the booleans for samba home dirs, etc..
Strict policy has a lot less boleans shown under samba-security-level.
Comment 2 Daniel Walsh 2005-01-13 01:14:59 UTC 
Run it in permissive mode for a while and then give me the AVC Messages.
I have added the dac permissions.

Dan
Comment 3 Ivan Gyurdiev 2005-01-13 01:53:18 UTC 
What am I looking for?
I tried reading/writing/creating/deleting files and directories,
looking at content from windows, mounting shares, and doing
nmblookup - nothing out of the usual... or should I leave it on 
for a longer time.. 

Actually I can't really reproduce the dac messages consistently
anymore either. They used to show up when I restarted smb, but now
they don't, and I just saw a single case of dac_override.
Comment 4 Ivan Gyurdiev 2005-01-13 02:05:31 UTC 
...or did you just want me to test the strict policy in permissive mode? 

Sorry if I misunderstood :)
Comment 5 Daniel Walsh 2005-01-13 14:36:24 UTC 
Yes I want you to run all your tests in permissive mode and then get
me the AVC messages.  That way I am not fixing them one at a time.  
But it looks like you already did most of the testing and all you
found is the two dac errors.

Dan
Comment 6 Ivan Gyurdiev 2005-01-13 18:25:30 UTC 
Yes, I have seen no other errors. 

Why doesn't the strict policy 
show all the booleans (and smbd_enable_home_dirs in particular)?
Is that intentional?
Comment 7 Daniel Walsh 2005-01-13 18:42:06 UTC 
getsebool -a 

should show all booleans