Bug 443334
| Summary: | setsebool ok & smb denied | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Laurent Jacquot <jk> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-11-17 22:03:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-3.0.8-101.fc8 Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.13) Gecko/20080325 Fedora/2.0.0.13-1.fc8 Firefox/2.0.0.13 Description of problem: SMB is denied read access to user_iceauth_home_t context even if I have: [root@jack ~]# getsebool -a |grep samba samba_domain_controller --> off samba_enable_home_dirs --> on samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_nfs --> off use_samba_home_dirs --> on Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.share your $home via samba 2.try to access it from another machine 3.Setroubleshoot pops up with the following: Résumé: SELinux is preventing the samba daemon from reading users' home directories. Description détaillée: SELinux has denied the samba daemon access to users' home directories. Someone is attempting to access your home directories via your samba daemon. If you only setup samba to share non-home directories, this probably signals a intrusion attempt. For more information on SELinux integration with samba, look at the samba_selinux man page. (man samba_selinux) Autoriser l'accès: Si vous souhaitez que samba partage des répertoires personnels vous devez activer le booléen samba_enable_home_dirs : "setsebool -P samba_enable_home_dirs=1" La commande suivante autorisera cet accès : setsebool -P samba_enable_home_dirs=1 Informations complémentaires: Contexte source system_u:system_r:smbd_t:s0 Contexte cible system_u:object_r:user_iceauth_home_t:s0 Objets du contexte /home/alex/.ICEauthority [ file ] Source smbd Source Path /usr/sbin/smbd Port <Inconnu> Host jack.lutty.net Source RPM Packages samba-3.0.28a-0.fc8 Target RPM Packages Politique RPM selinux-policy-3.0.8-95.fc8 Selinux activé True Type de politique targeted MLS activé True Mode strict Enforcing Nom du plugin samba_enable_home_dirs Nom de l'hôte jack.lutty.net Plateforme Linux jack.lutty.net 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 i686 Compteur d'alertes 30 First Seen ven 04 avr 2008 23:16:29 CEST Last Seen lun 14 avr 2008 20:51:06 CEST Local ID d2ee22f9-866b-4305-94c8-a029aee20c19 Numéros des lignes Messages d'audit bruts host=jack.lutty.net type=AVC msg=audit(1208199066.837:2675): avc: denied { getattr } for pid=10432 comm="smbd" path="/home/alex/.ICEauthority" dev=dm-11 ino=850503 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_iceauth_home_t:s0 tclass=file host=jack.lutty.net type=SYSCALL msg=audit(1208199066.837:2675): arch=40000003 syscall=195 success=no exit=-13 a0=bfc33194 a1=bfc32914 a2=4c5ff4 a3=bfc32914 items=0 ppid=3346 pid=10432 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) Actual Results: Expected Results: Additional info: what would be the right thing to do, dontaudit, allow or deny?