Bug 188367
| Summary: | selinux blocks create dir for smbd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Toby Ovod-Everett <toby> |
| Component: | selinux-policy | Assignee: | Russell Coker <rcoker> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5 | CC: | dwalsh, jplans |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | ia64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | -2.2.34-3.fc5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-05-01 20:14:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I see this too (on i386):
selinux-policy-targeted-2.2.29-3.fc5
selinux-policy-2.2.29-3.fc5
samba-common-3.0.22-1.fc5
samba-3.0.22-1.fc5
audit(1145962448.002:180): avc: denied { getattr } for pid=25069 comm="smbd"
name=".Xauthority" dev=hda5 ino=10846572 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
audit(1145962468.107:181): avc: denied { create } for pid=25069 comm="smbd"
name=4E657720466F6C646572 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
audit(1145962468.111:182): avc: denied { create } for pid=25069 comm="smbd"
name=4E657720466F6C646572 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
audit(1145962468.111:183): avc: denied { create } for pid=25069 comm="smbd"
name=4E657720466F6C64657220283229 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
audit(1145962468.115:184): avc: denied { create } for pid=25069 comm="smbd"
name=4E657720466F6C64657220283229 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
Note: the arch for this bug needs changing from ia64 to ALL. Fixed in selinux-policy-2.2.34-3.fc5 selinux-policy 2.2.34-3.fc5 downloaded to my machine this morning and the problem definitely appears to be resolved. Thanks! |
Description of problem: I have home directories shared out via Samba and everything works except that the creation and removal of directories is blocked by selinux Version-Release number of selected component (if applicable): system-config-samba-1.2.34-1 samba-client-3.0.22-1.fc5 samba-3.0.22-1.fc5 samba-common-3.0.22-1.fc5 selinux-policy-targeted-2.2.25-3.fc5 libselinux-1.30-1.fc5 libselinux-python-1.30-1.fc5 selinux-policy-2.2.25-3.fc5 libselinux-1.30-1.fc5 How reproducible: Happens everytime I try to md or rd from my Windows XP SP2 box via Samba. There are entries in the /var/log/messages indicating that the attempt was denied by selinux. Steps to Reproduce: 1. Install FC5 ia64 including Samba 2. Configure Samba as follows: * Modify the following lines in /etc/samba/smb.conf: workgroup = OVOD-EVERETT * Append the following line after the exists hosts allow line: hosts allow = 192.168.0. 127. * Append the following line to the â[homes]â section: hide files = /Thumbs.db*/desktop.ini/ * Run system-config-securitylevel: * On the SELinux tab: * Open âModify SELinux Policyâ * Under Samba, check âAllow Samba to share users home directoriesâ * Go to System->Administration->Server Settings->Services * Go to Edit Runlevel->Runlevel All * Check âsmbâ in all three columns * Click âSaveâ * Reboot (or start smb service) 3. Mount a user's home directory from Win XP SP2 box 4. Attempt to create or remove a directory 5. Observe the following in the /var/log/messages file: Apr 8 08:01:57 vin kernel: audit(1144512117.816:21): avc: denied { create } for pid=2511 comm="smbd" name="foo" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir Apr 8 08:15:37 vin kernel: audit(1144512937.506:22): avc: denied { rmdir } for pid=2511 comm="smbd" name="foo" dev=sda1 ino=7678492 scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir 6. Note that directory creation and removal works fine when logged in via sshd. 7. Note that file creation and removal works fine via Samba. Actual results: Cannot create or remove directories via Samba. Expected results: Can create or remove directories via Samba. Additional info: I'm not sure whether this gets addressed via the samba team or the selinux team. I guessed samba because it is my understanding that the selinux policy is now modular, but if I'm wrong please reassign as appropriate.