Bug 146557

Summary: Samba and getattr / file browsers
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-04 16:28:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivan Gyurdiev 2005-01-29 16:41:04 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
I get getattr denials for all the restricted types in my 
home directory. That's because browsing applications get 
inside a folder they can get to and try to getattr on everything
there. That's common to nautilus, mplayer (it has a file
browser), probably mozilla and anything that can browse 
around. That include samba. All I did was mount my home 
directory, and ls inside, and I got about 20 denials 
for various types there. 

For mplayer I did:

dontaudit $1_mplayer_t file_type:dir_file_class_set { getattr };

Is this wrong? There should be a standard way of 
solving this problem - maybe a macro that can be used
for all those applications.

Also, what exactly is the difference between an allow rule
and a dontaudit rule?


Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.5-2

How reproducible:
Always

Steps to Reproduce:
1. See summary    

Additional info:
Comment 1 Ivan Gyurdiev 2005-01-29 23:37:55 UTC 
For example, why is the following necessary?
It makes sense to me that I should be able to see all the info.
Why not make a macro for such things that does not audit getattr.

[phantom@cobra ~]$ ls -lZ /var
?---------  ?        ?                                         account
drwxr-xr-x  root     root     system_u:object_r:var_t          cache
drwxr-xr-x  root     root     system_u:object_r:var_t          db
drwxr-xr-x  root     root     system_u:object_r:var_t          empty
?---------  ?        ?                                         gdm
drwxr-xr-x  root     root     system_u:object_r:var_lib_t      lib
drwxr-xr-x  root     root     system_u:object_r:var_t          local
?---------  ?        ?                                         lock
drwxr-xr-x  root     root     system_u:object_r:var_log_t      log
?---------  ?        ?                                         mail
?---------  ?        ?                                         named
drwx------  root     root     system_u:object_r:var_t          net-snmp
drwxr-xr-x  root     root     system_u:object_r:var_t          nis
drwxr-xr-x  root     root     system_u:object_r:var_t          opt
drwxr-xr-x  root     root     system_u:object_r:var_t          preserve
drwxr-xr-x  root     root     system_u:object_r:var_run_t      run
drwxr-xr-x  root     root     system_u:object_r:var_spool_t    spool
drwxrwxrwt  root     root     system_u:object_r:tmp_t          tmp
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t www
?---------  ?        ?                                         yp
Comment 2 Daniel Walsh 2005-01-31 20:51:52 UTC 
This should be brought up for discussion on the selinux list.

Also, what exactly is the difference between an allow rule
and a dontaudit rule?

Allow allows the action to happen.  Dontaudit does not allow the action to
happen but doesn't audit it.

I am not sure what the best thing to do here is.  By using the dontaudit, you
could loose valuable security information.  IE a rogue app searching your file
system.
Comment 3 Ivan Gyurdiev 2005-02-04 16:28:11 UTC 
Closed (for now :)