Bug 2212518

Summary: SELinux is preventing smbd from 'create' accesses on the directory cores.
Product: [Fedora] Fedora Reporter: Hilário Fochi Silveira <hilario>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, hilario, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Flags: hilario: needinfo-
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:26ad8d827a36eb1ca3fe522764a20453ad13ffcfc4cf08585aab2e4a30d58b3a;VARIANT_ID=kde;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-04 16:05:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: os_info
none
File: description none

Description Hilário Fochi Silveira 2023-06-05 19:05:39 UTC
Description of problem:
These problems are generated after booting the computer.

semanage fcontext -a -t samba_share_t 'cores'
restorecon  -v 'cores'
restorecon: lstat(/home/default/cores) failed: No such file or directory
SELinux is preventing smbd from 'create' accesses on the diretório cores.

*****  Plugin samba_share (85.5 confidence) suggests   ***********************

Se você quer permitir que smbd tenha acesso create no cores directory
Then você precisa mudar o rótulo em 'cores'
Do
# semanage fcontext -a -t samba_share_t 'cores'
# restorecon  -v 'cores'

*****  Plugin catchall_boolean (13.8 confidence) suggests   ******************

Se você quiser allow samba to export all rw
Then você deve informar o SELinux sobre isso habilitando o booleano 'samba_export_all_rw'.

Do
setsebool -P samba_export_all_rw 1

*****  Plugin catchall (2.16 confidence) suggests   **************************

Se você acredita nisso smbd deve ser permitido create acesso no cores directory por padrão.
Then você deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso por agora executando:
# ausearch -c 'smbd' --raw | audit2allow -M my-smbd
# semodule -X 300 -i my-smbd.pp

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                cores [ dir ]
Source                        smbd
Source Path                   smbd
Port                          <Desconhecido>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.15-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.15-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.3.4-201.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sat May 27 15:08:36 UTC 2023
                              x86_64
Alert Count                   20
First Seen                    2023-05-21 22:53:01 -03
Last Seen                     2023-06-05 15:44:23 -03
Local ID                      2db60cca-f075-4982-b38d-4951baa419e9

Raw Audit Messages
type=AVC msg=audit(1685990663.97:378): avc:  denied  { create } for  pid=32962 comm="smbd" name="cores" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0


Hash: smbd,smbd_t,var_log_t,dir,create

Version-Release number of selected component:
selinux-policy-targeted-38.15-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
reason:         SELinux is preventing smbd from 'create' accesses on the directory cores.
type:           libreport
kernel:         6.3.4-201.fc38.x86_64
component:      selinux-policy
package:        selinux-policy-targeted-38.15-1.fc38.noarch
hashmarkername: setroubleshoot
component:      selinux-policy

Comment 1 Hilário Fochi Silveira 2023-06-05 19:05:41 UTC
Created attachment 1969138 [details]
File: os_info

Comment 2 Hilário Fochi Silveira 2023-06-05 19:05:43 UTC
Created attachment 1969139 [details]
File: description

Comment 3 Zdenek Pytela 2023-06-06 07:03:29 UTC
Hello,

Is this a result of some configuration change?

Comment 4 Zdenek Pytela 2023-06-06 07:05:23 UTC
Data from the duplicate:
Raw Audit Messages
type=AVC msg=audit(1685990667.113:389): avc:  denied  { create } for  pid=33021 comm="smbd-notifyd" name="samba.smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0

Comment 5 Zdenek Pytela 2023-06-06 07:05:42 UTC
*** Bug 2212520 has been marked as a duplicate of this bug. ***

Comment 6 Hilário Fochi Silveira 2023-06-14 14:16:17 UTC
(In reply to Zdenek Pytela from comment #3)
> Hello,
> 
> Is this a result of some configuration change?

Before seeing this, I applied your solution for this first bug regarding Samba: https://bugzilla.redhat.com/show_bug.cgi?id=2182643

Comment 7 Zdenek Pytela 2023-06-14 19:24:09 UTC
(In reply to Hilário Fochi Silveira from comment #6)
> Before seeing this, I applied your solution for this first bug regarding
> Samba: https://bugzilla.redhat.com/show_bug.cgi?id=2182643

All right, that one addresses one problem. However, in your AVCs, there are "samba.smbd" or "cores" files/dirs which are not present on a common installation, so I wonder if it was some custom configuration change. Unfortunately, path for these files are not logged.

Comment 8 Zdenek Pytela 2023-08-04 16:05:03 UTC
As no new information appeared during the past weeks, we are going to close this bug. If you need to pursue this matter further, feel free to reopen this bug and attach the needed information.