Bug 166576

Summary: avc denied messages for samba
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NEXTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: walt
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.27.1-2.22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-14 15:17:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2005-08-23 15:08:16 UTC 
Description of problem:
I'm seeing the following messages.  I'm not sure that they are preventing
anything necessary for samba functionality or not, but it seems there should at
least a dontaudit line.

Aug 22 12:03:07 alexandria kernel: audit(1124733787.167:2646): avc:  denied  {
getattr } for  pid=5212 comm="smbd" name="/" dev=md1 ino=2
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:boot_t tclass=dir
Aug 22 12:03:07 alexandria kernel: audit(1124733787.168:2647): avc:  denied  {
getattr } for  pid=5212 comm="smbd" name="/" dev=dm-8 ino=2
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:default_t tclass=dir
Aug 22 12:03:07 alexandria kernel: audit(1124733787.168:2648): avc:  denied  {
getattr } for  pid=5212 comm="smbd" name="/" dev=devpts ino=1
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:devpts_t tclass=dir
Aug 22 12:53:36 alexandria kernel: audit(1124736816.213:2649): avc:  denied  {
getattr } for  pid=5212 comm="smbd" name="/" dev=tmpfs ino=5857
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:tmpfs_t tclass=dir


I use tmpfs for /tmp too.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-12

How reproducible:
Regularly
Comment 1 Daniel Walsh 2005-08-25 13:30:20 UTC 
Fixed in selinux-policy-targeted-1.25.4-10
Comment 2 Walter Justen 2005-08-30 06:10:12 UTC 
Thanks for the bug report. This particular bug was fixed and a update package
was published for download. Please feel free to report any further bugs you find.
Comment 3 Orion Poplawski 2005-10-05 16:55:47 UTC 
More similar errors with selinux-policy-targeted-1.27.1-2.3.

type=AVC msg=audit(1128531131.967:62328): avc:  denied  { quotaget } for 
pid=31250 comm="smbd" scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:fs_t tclass=filesystem
type=AVC msg=audit(1128531157.196:62333): avc:  denied  { getattr } for 
pid=10164 comm="smbd" name="/" dev=rpc_pipefs ino=5168
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir
type=AVC msg=audit(1128531131.107:62323): avc:  denied  { getattr } for 
pid=10164 comm="smbd" name="/" dev=binfmt_misc ino=4162
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:binfmt_misc_fs_t
tclass=dir
type=AVC msg=audit(1128531131.051:62319): avc:  denied  { getattr } for 
pid=10164 comm="smbd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:tftpdir_t tclass=dir
type=AVC msg=audit(1128531131.051:62320): avc:  denied  { getattr } for 
pid=10164 comm="smbd" name="/" dev=dm-5 ino=2 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:mail_spool_t tclass=dir
Comment 4 Daniel Walsh 2005-10-05 17:11:56 UTC 
The only one that I see as significant is the quotaget.  Do you have quota
turned on?


Any idea why smbd is getattr all these directories?
Comment 5 Orion Poplawski 2005-10-05 17:16:46 UTC 
Quota's on the following:

/dev/mapper/rootvg-mail on /var/spool/mail type ext3 (rw,usrquota)
/dev/sdc1 on /export/home0 type ext3 (rw,usrquota)
/dev/sdd1 on /export/home1 type ext3 (rw,usrquota)

Really no idea on the getattr.  Perhaps it's just running through all the
mounts?  We're not sharing /var/spool/mail or any of the others listed in the
denied messages.

# mount
/dev/mapper/rootvg-root on / type ext3 (rw)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/md2 on /boot type ext3 (rw)
none on /dev/shm type tmpfs (rw)
/dev/mapper/rootvg-local on /export/local type ext3 (rw)
/dev/mapper/rootvg-tftpboot on /tftpboot type ext3 (rw)
/dev/mapper/rootvg-usr on /usr type ext3 (rw)
/dev/mapper/rootvg-var on /var type ext3 (rw)
/dev/mapper/rootvg-mail on /var/spool/mail type ext3 (rw,usrquota)
tmpfs on /tmp type tmpfs (rw)
/dev/sdc1 on /export/home0 type ext3 (rw,usrquota)
/dev/sdd1 on /export/home1 type ext3 (rw,usrquota)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
none on /var/named/chroot/proc type proc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
automount(pid1729) on /home type autofs (rw,fd=4,pgrp=1729,minproto=2,maxproto=4)
automount(pid1752) on /data type autofs (rw,fd=4,pgrp=1752,minproto=2,maxproto=4)
automount(pid1819) on /data4 type autofs (rw,fd=4,pgrp=1819,minproto=2,maxproto=4)
automount(pid1893) on /opt type autofs (rw,fd=4,pgrp=1893,minproto=2,maxproto=4)
automount(pid1972) on /fs type autofs (rw,fd=4,pgrp=1972,minproto=2,maxproto=4)
/export/local on /opt/local type none (rw,bind)
nfsd on /proc/fs/nfsd type nfsd (rw)
Comment 6 Daniel Walsh 2005-10-17 18:14:51 UTC 
Fixed in selinux-policy-*-1.27.1-2.6
Comment 7 Orion Poplawski 2005-10-20 16:21:46 UTC 
Still getting some similar messages:

Oct 20 08:58:24 alexandria kernel: audit(1129820304.735:3888): avc:  denied  {
getattr } for  pid=6213 comm="smbd" name="/" dev=selinuxfs ino=292
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:security_t tclass=dir
Oct 20 08:58:24 alexandria kernel: audit(1129820304.735:3889): avc:  denied  {
getattr } for  pid=6213 comm="smbd" name="/" dev=usbfs ino=2873
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Comment 8 Russell Coker 2006-03-20 11:18:22 UTC 
Version 1.27.1-2.22 has a fix for this.
Comment 9 Orion Poplawski 2006-11-30 16:39:46 UTC 
Still seeing some of this on FC5 with selinux-policy-2.4.5-4.fc5:

type=AVC msg=audit(1164863966.810:359193): avc:  denied  { getattr } for 
pid=20025 comm="smbd" name="/" dev=dm-2 ino=2
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:tftpdir_t:s0
tclass=dir
type=AVC msg=audit(1164863966.810:359194): avc:  denied  { getattr } for 
pid=20025 comm="smbd" name="/" dev=dm-5 ino=2
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0
tclass=dir

/tftpboot and /var/spool/mail are separate filesystems.  They aren't shared by
samba.
Comment 10 Daniel Walsh 2007-02-14 15:17:52 UTC 
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy