Bug 253672

Summary: smbclient causes AVC denied messages
Product: [Fedora] Fedora Reporter: Ken Reilly <kreilly>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: pigetak178, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:05:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
setroubleshooter output none

Description Pete Graner 2007-08-21 05:17:01 UTC 
Description of problem: smbclient throws avc messages when run from the command
line or via /etc/auto.smb auto mount map.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.6.4-33.fc7

How reproducible: Every time

I've attached the setroubleshooter output, note one access generates 5 avs, they
are all cat'ed into the attachment in the order they were generated.
Comment 1 Pete Graner 2007-08-21 05:17:01 UTC 
Created attachment 161947 [details]
setroubleshooter output
Comment 2 Simo Sorce 2007-08-22 02:33:57 UTC 
I guess there should be a transition rule to go from automount_t to bin_t ?
What I don't get is why auto.smb should run smbclient, I'd expect mount.smbfs or
mount.cifs ...
Comment 3 Daniel Walsh 2007-08-22 12:55:34 UTC 
It does,  But first it runs smbclient to find all the shares exported from the
remote machine,  Then it mounts them all.  At least that is what the automount
guys have explained.

No transition necessary, I just needed to allow automount to read the
samba_var_t and samba_etc_t files.

smbclient does not currently have a domain.  bin_t is for domains executables
that will be run without a transition.

Fixed in selinux-policy-2.6.4-40
Comment 4 pigetak178 2007-09-15 19:15:49 UTC 
Straight autofs mount of CIFS type filesystems causes AVC messages:

Sep 15 14:02:55 yorky kernel: audit(1189879375.793:9): avc:  denied  { read }
for  pid=16802 comm="mount.cifs" name="hosts" dev=dm-0 ino=3604493
scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file

/etc/auto.master contains:
 /misc   /etc/auto.misc --timeout=60

/etc/auto.misc contains:
 k  -fstype=cifs,rw,dom=Enterprise,user=me,pass=myPwd ://nmrfs2/common

Mount does work.
Comment 5 pigetak178 2007-09-15 19:16:47 UTC 
Oops. Am running latested policy:

/home/dmobrien: rpm -q selinux-policy
selinux-policy-2.6.4-40.fc7
Comment 6 Daniel Walsh 2007-09-18 13:07:52 UTC 
This looks like you have a badly labeled hosts file.  Something created a hosts
file in /tmp and then mv'd it to /etc.  I would guess

restorecon -V /etc/hosts
Comment 7 pigetak178 2007-09-18 13:18:33 UTC 
Yes, that is very likely.  I run the Juniper SSL VPN client code to access my
work machine, and I believe it does muck about with the /etc/hosts file.

/home/dmobrien: sudo  restorecon -V /etc/hosts
restorecon: invalid option -- V
usage:  restorecon [-iFnrRv] [-e excludedir ] [-o filename ] [-f filename |
pathname... ]
Comment 8 pigetak178 2007-09-18 13:21:26 UTC 
FYI:

/home/dmobrien: ls -lZ /etc/hosts   
-rw-r--r--  root root user_u:object_r:etc_t            /etc/hosts
Comment 9 Daniel Walsh 2007-09-18 14:53:26 UTC 
Sorry about that restorecon -v .

Anyways there was a hosts file that was not labeled etc_t that was causing the
problem.
Comment 10 Red Hat Bugzilla 2007-10-23 15:25:19 UTC 
User pgraner's account has been closed
Comment 11 Daniel Walsh 2008-01-30 19:05:43 UTC 
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.