Bug 508775
Summary: | setroubleshoot gives incomplete output | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orcan Ogetbil <oget.fedora> | ||||||
Component: | setroubleshoot | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 11 | CC: | dwalsh, eparis, jdennis, mgrepl | ||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-11-18 13:10:00 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Only other tidbit of any interest was the second denial message... type=AVC msg=audit(1246303193.31:94341): avc: denied { search } for pid=31067 comm="smbd" name="Media" dev=sda7 ino=153419777 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir type=SYSCALL msg=audit(1246303193.31:94341): arch=c000003e syscall=4 success=yes exit=0 a0=7fdb031f5d20 a1=7fff0aa702c0 a2=7fff0aa702c0 a3=61006300690073 items=0 ppid=27569 pid=31067 auid=500 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=99 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null) The problem here is that we get the first denial which is all setroubleshoot can figure out, so I would suspect that it told you the correct thing, but there was a secondary issue, that after it followed the symbolic link, it was also blocked on actually reading /pub/samba So the final solution is probably to label /pub and its subdirs as samba_share_t # semanage fcontext -a -t samba_share_t '/pub(/.*)?' # restorecon -R -v /pub You might want to update to the latest setroubleshoot also. Yes, relabeling /pub helps. But both before and after issuing the command chcon -R -t samba_share_t '/home/melanie/Media' setroubleshoot gave me the same message. It doesn't tell me anything about /pub. It just tells me to run chcon -R -t samba_share_t '/home/melanie/Media' no matter how many times I run it. I guess the symlinks need to be handled differently (? I'm a selinux-ignorant ?) Please attach the setroubleshoot message Created attachment 349878 [details]
selinux_alert
here ya go
Well the setroubleshoot was exactly correct. /home/melanie/Media was a directory and labeled default_t, So if you changed the label. it would work. No, as I said, /home/melanie/Media is not a directory. It is a symlink that points to /pub/Media. Daniel, the bug is valid and reproducable. You are right I am wrong, sorry. The tool is searching for the inode reported by the kernel and found the link but read the file the link pointed to, found a match and reported the link as the problem. Sadly all the kernel gives us is a name and an inode. I will fix in setroubleshoot-2.1.14-2.fc11 |
Created attachment 349860 [details] the conversation at #selinux Folks at #selinux at IRC told me to file this bug here. Basically, setroubleshoot told me to issue a command chcon -R -t samba_share_t '/home/melanie/Media' when I tried to reach this box from a remote location. But issuing the command didn't help. It turned out that the /home/melanie/Media is a symlink and the target location needs to be relabeled too. But setroubleshoot doesn't indicate this. I'm attaching the discussion.