Bug 429783
Summary: | SELinux is preventing /usr/bin/procmail (procmail_t) "search" to / (samba_share_t). | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Philip Goisman <goisman> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 5.1 | CC: | mlichvar |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-31 16:21:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Philip Goisman
2008-01-22 23:13:21 UTC
What avc messages are you seeing? What directory is labeled samba_share_t? Did you run chcon -R -t samba_share_t on a directory? Here's a new twist. Just as your comment arrived, I discovered that deleting /var/mail/$USER, which was created upon account creation (and initialy worked), and then sending e-mail to that $USER worked! However, the "setrouble shoot browser" popup still appeared. And, does so every time a new e-mail is sent. Eventually, all of the tests to $USER were received. Now to answer your question. I'm personally not seeing any avc messages except for those reported in the "setrouble shoot browser" popup as follows: avc: denied { search } for comm="procmail" dev=hda2 egid=12 euid=0 exe="/usr/bin/procmail" exit=-13 fsgid=12 fsuid=0 gid=12 items=0 name="/" pid=5653 scontext=system_u:system_r:procmail_t:s0 sgid=12 subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:samba_share_t:s0 tty=(none) uid=0 I have no idea which directory is labeled samba_share_t. Neither a locate nor a find discovered any directory/file labeled samba_share_t. So would executing "chcon -R -t samba_share_t" do anything? I tried it out and the results are as follows: # chcon -R -t samba_share_t chcon: too few arguments Try `chcon --help' for more information. ls -ldZ / find / -context "*samba_share_t*" Ok, thanks for the help. It appears I have many directories labeled samba_share_t. I don't remember labeling any of them samba_share_t. But in my effort to port my former samba files to EL5, I may have inadevertently done that. How would I go about fixing that? In looking back through my notes on samba, I did issue the command "chcon -R -t samba_share_t /." This was recommended by a browser popup error as follows: SELinux is preventing samba (/usr/sbin/smbd) "search" to / (default_t). SELinux denied samba access to /. If you want to share this directory with samba it has to have a file context label of samba_share_t. The following command will allow this access: chcon -R -t samba_share_t / I had a following problem: SELinux is preventing /sbin/mcstransd (setrans_t) "search" access to / (samba_share_t). It was recommended to try "restorecon -v /." I didn't do this, then. I'll try now. That didn't reverse the labeling. I'll check the FAQ for a policy to try. Looks like I already tried the policy in the FAQ. I think I'm screwed. Best bet looks like I need to restore the system back to before I started porting samba. Since I've got backups running now, I'll do this Monday. Unless you have any further suggestions, I guess we can close this bug report. Thanks for pointing me in the right direction. Ok, I tried changing context labels back to what they were supposed to be using chcon -R -t home_root_t /home, then cd /home and chcon -R -t user_home_dir_t *. Then, I changed the dirctories with samba_share_t to default_t. And, after a reboot, it looks like the popup error on procmail has disappeared. I have a similar problem with clamscan, but it looks like more of the same. I'll just have to figure out the proper context label for mdefang-m0PNhDXM004085 (var_spool_t) as in SELinux is preventing /usr/bin/clamscan (clamscan_t) "search" access to mdefang-m0PNhDXM004085 (var_spool_t). restorecon -F -v -R PATH Should set the machine back to the system defaults. Also we are preparing an update to RHEL5 policy for Update 2. You can get a test version at http://people.redhat.com/dwalsh/SELinux/RHEL5 Thanks for the command. I have reset all file contexts and hope this solves my problem with them. Might as well try the 2.4.6-117 versions . Thanks for tip. When these are released will they update automatucally? Yes it you are a RHEL5 subscriber, you will get this update. |