Bug 508775

Summary: setroubleshoot gives incomplete output
Product: [Fedora] Fedora Reporter: Orcan Ogetbil <oget.fedora>
Component: setroubleshootAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, eparis, jdennis, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-18 13:10:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
the conversation at #selinux
none
selinux_alert none

Description Orcan Ogetbil 2009-06-29 19:48:13 UTC 
Created attachment 349860 [details]
the conversation at #selinux

Folks at #selinux at IRC told me to file this bug here. 

Basically, setroubleshoot told me to issue a command 
   chcon -R -t samba_share_t '/home/melanie/Media'
when I tried to reach this box from a remote location. But issuing the command didn't help. It turned out that the /home/melanie/Media is a symlink and the target location needs to be relabeled too. But setroubleshoot doesn't indicate this.

I'm attaching the discussion.
Comment 1 Eric Paris 2009-06-29 19:51:18 UTC 
Only other tidbit of any interest was the second denial message...

type=AVC msg=audit(1246303193.31:94341): avc: denied { search } for pid=31067 comm="smbd" name="Media" dev=sda7 ino=153419777 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

type=SYSCALL msg=audit(1246303193.31:94341): arch=c000003e syscall=4 success=yes exit=0 a0=7fdb031f5d20 a1=7fff0aa702c0 a2=7fff0aa702c0 a3=61006300690073 items=0 ppid=27569 pid=31067 auid=500 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=99 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
Comment 2 Daniel Walsh 2009-06-29 20:38:11 UTC 
The problem here is that we get the first denial which is all setroubleshoot can figure out, so I would suspect that it told you the correct thing, but there was a secondary issue, that after it followed the symbolic link, it was also blocked on actually reading /pub/samba

So the final solution is probably to label /pub and its subdirs as samba_share_t


# semanage fcontext -a -t samba_share_t '/pub(/.*)?'
# restorecon -R -v /pub

You might want to update to the latest setroubleshoot also.
Comment 3 Orcan Ogetbil 2009-06-29 20:51:38 UTC 
Yes, relabeling /pub helps.

But both before and after issuing the command
   chcon -R -t samba_share_t '/home/melanie/Media'
setroubleshoot gave me the same message. It doesn't tell me anything about /pub. It just tells me to run
   chcon -R -t samba_share_t '/home/melanie/Media'
no matter how many times I run it.

I guess the symlinks need to be handled differently (? I'm a selinux-ignorant ?)
Comment 4 Daniel Walsh 2009-06-29 21:06:12 UTC 
Please attach the setroubleshoot message
Comment 5 Orcan Ogetbil 2009-06-29 21:14:51 UTC 
Created attachment 349878 [details]
selinux_alert

here ya go
Comment 6 Daniel Walsh 2009-07-01 17:27:19 UTC 
Well the setroubleshoot was exactly correct.  /home/melanie/Media was a directory and labeled default_t,  So if you changed the label. it would work.
Comment 7 Orcan Ogetbil 2009-07-01 17:31:59 UTC 
No, as I said, /home/melanie/Media is not a directory. It is a symlink that points to /pub/Media.

Daniel, the bug is valid and reproducable.
Comment 8 Daniel Walsh 2009-07-01 21:08:20 UTC 
You are right I am wrong, sorry.  The tool is searching for the inode reported by the kernel and found the link but read the file the link pointed to, found a match and reported the link as the problem.  Sadly all the kernel gives us is a name and an inode.

I will fix in setroubleshoot-2.1.14-2.fc11