Bug 473795

Summary: selinux warning when trying to share a directory with samba that is already shared with nfs
Product: [Fedora] Fedora Reporter: Bernd Bartmann <bernd.bartmann>
Component: selinux-policy-targetedAssignee: Fabian Affolter <mail>
Status: CLOSED UPSTREAM QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 10CC: mail
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-03 19:34:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 479644    

Description Bernd Bartmann 2008-11-30 17:10:12 UTC 
Description of problem:
I'm getting a message (see below)when trying to share a directory with samba that is already shared with nfs

This message is completely misleading as NFS is already working, but samba is not.



Summary:

SELinux hindert den NFS-Daemon daran, dass entfernte Clients lokale Dateien
lesen.

Detailed Description:

SELinux hinderte den NFS-Daemon (nfsd) am Lesen im lokalen System. Falls Sie
keine Dateisysteme exportiert haben, könnte dies einen Einbruchsversuch
signalisieren.

Allowing Access:

Falls Sie Dateisysteme via NFS exportieren möchten, müssen Sie den
samba_export_all_ro Boolesch aktivieren: "setsebool -P samba_export_all_ro=1".

Fix Command:

setsebool -P samba_export_all_ro=1

Additional Information:

Source Context                unconfined_u:system_r:smbd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                / [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          beverly.ncc1701d
Source RPM Packages           samba-3.2.4-0.22.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   samba_export_all_ro
Host Name                     beverly.ncc1701d
Platform                      Linux beverly.ncc1701d 2.6.27.5-117.fc10.x86_64 #1
                              SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64
Alert Count                   837
First Seen                    Sat Nov 29 22:46:26 2008
Last Seen                     Sat Nov 29 23:26:28 2008
Local ID                      c32cd63b-bff7-4040-a38d-1726e0462f8a
Line Numbers                  

Raw Audit Messages            

node=beverly.ncc1701d type=AVC msg=audit(1227997588.413:1300): avc:  denied  { read } for  pid=19806 comm="smbd" name="/" dev=md1 ino=2 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

node=beverly.ncc1701d type=SYSCALL msg=audit(1227997588.413:1300): arch=c000003e syscall=2 success=no exit=-13 a0=7f22b41182d0 a1=90800 a2=7f22b41b0f40 a3=2f13a70 items=0 ppid=19741 pid=19806 auid=500 uid=0 gid=0 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=47 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-18.fc10.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-12-01 22:14:24 UTC 
This looks like a translation problem.
Comment 2 Bernd Bartmann 2008-12-02 21:41:58 UTC 
I tried an "unset LANG" but even after this the "sealert -l" output comes with German messages. Is there any way to see the messages in English to verify that this is really a translation issue?
Comment 3 Daniel Walsh 2008-12-03 14:23:40 UTC 
LANG=C sealert ...

Should do it.
Comment 4 Bernd Bartmann 2008-12-03 14:34:12 UTC 
Nope, even with LANG=C in front of the sealert command I get the summary text in German.
Comment 5 Daniel Walsh 2008-12-03 14:44:28 UTC 
Ok read the source.

/usr/share/setroubleshoot/plugins/samba_export_all_ro.py
Comment 6 Bernd Bartmann 2008-12-03 14:51:34 UTC 
Thanks. The english text in the source looks good to me. Now, where is the translated text and how to get it fix, i.e. should we assign this to another component or person?
Comment 7 Fabian Affolter 2008-12-03 19:34:38 UTC 
Thanks for reporting this.  The German translation was wrong.

Fixed with commit
https://fedorahosted.org/setroubleshoot/browser/plugins/po/de.po?rev=1247%3A6e3fd70feea4

If the error still occurs in the next release of SETroubleShoot, please reopen this bug report.