Bug 566984

Summary: SELinux is preventing /usr/sbin/smbd "getattr" access on /dev/network_throughput.
Product: [Fedora] Fedora Reporter: Jim Shipman <JimShip>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:29e09eb224ec3afe3c308e3e0b1ce89ada0ddae154c8dc93d7d7f14652ecdfe6
Fixed In Version: selinux-policy-3.6.32-92.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-04 00:16:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
avc log containing smbd rejects none

Description Jim Shipman 2010-02-20 22:19:43 UTC 
Summary:

SELinux is preventing /usr/sbin/smbd "getattr" access on
/dev/network_throughput.

Detailed Description:

SELinux denied access requested by smbd. It is not expected that this access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:netcontrol_device_t:s0
Target Objects                /dev/network_throughput [ chr_file ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-3.4.5-55.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.22.fc12.x86_64 #1 SMP Fri Feb 19
                              18:55:03 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 20 Feb 2010 12:57:38 PM PST
Last Seen                     Sat 20 Feb 2010 12:57:38 PM PST
Local ID                      86e5f004-a79e-434f-a1ef-d1e32c53d2e9
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1266699458.135:34928): avc:  denied  { getattr } for  pid=2804 comm="smbd" path="/dev/network_throughput" dev=tmpfs ino=3375 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1266699458.135:34928): arch=c000003e syscall=4 success=no exit=-13 a0=7fc530903ce0 a1=7fffa9fa23e0 a2=7fffa9fa23e0 a3=ffffffee items=0 ppid=1970 pid=2804 auid=4294967295 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)



Hash String generated from  catchall,smbd,smbd_t,netcontrol_device_t,chr_file,getattr
audit2allow suggests:

#============= smbd_t ==============
allow smbd_t netcontrol_device_t:chr_file getattr;
Comment 1 Daniel Walsh 2010-02-22 19:39:36 UTC 
How did you get this to happen?  Are you sharing the entire system?
Comment 2 Jim Shipman 2010-02-22 20:20:07 UTC 
(In reply to comment #1)
> How did you get this to happen?  Are you sharing the entire system?

I don't know what I was doing when it happened.  I just got the bug icon in the task bar.  This same messages was received for a whole bunch of access', but I only submitted the first one.

I am running samba to connect (via a bridged adapter) to Windows xp running in a VirtualBox (V 3.1.4) on the same machine (the vbox shared folders change all the time/date stamps on my files to current time), and I share my home folder (ext4) and NTFS drive with my laptop via a wireless network.  Nothing else.
Comment 3 Daniel Walsh 2010-02-22 21:21:53 UTC 
Could you execute 

ausearch -m avc -ts recent 

And attach a compresses output.  If there is sensitive data, just email it to dwalsh or pipe it through audit2allow.

ausearch -m avc -ts recent | audit2allow
Comment 4 Jim Shipman 2010-02-22 21:59:02 UTC 
[root@laurie ~]# ausearch -m avc -ts recent | audit2allow
<no matches>
Comment 5 Jim Shipman 2010-02-22 22:00:57 UTC 
Sorry for two appends.  Still nothing even without the audit2allow part.

[root@laurie ~]# ausearch -m avc -ts recent
<no matches>
Comment 6 Jim Shipman 2010-02-22 22:09:40 UTC 
Created attachment 395593 [details]
avc log containing smbd rejects

Here is my avc log for the past month.  It does contain the smbd messages at line 302 and others.
Jim Shipman
Comment 7 Daniel Walsh 2010-02-22 22:36:58 UTC 
Miroslav,  Looks like smbd is doing a getattr of everything in /dev

Add

dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
Comment 8 Jim Shipman 2010-02-22 22:55:53 UTC 
Sorry, but I don't know what to add those lines to.  I'm not very familiar with the se part of selinux or smbd.

How do I "add" those lines?
Thanks,
Jim
Comment 9 Jim Shipman 2010-02-22 23:16:29 UTC 
I went into the SELinux Management tool under Administration and looked at the boolean items for samba.  I noticed that everything was checked including "allow samba to share any file/director read/write".  I unchecked everything except for domain controller, share home dirs, share ntfs/fusefs, and modify public files.

I'll see if that takes care of my problem.

Note: This was a fresh install of Fedora 12 (with all the updates), so how did SELinux get messed up?

Jim
Comment 10 Miroslav Grepl 2010-02-23 09:54:21 UTC 
(In reply to comment #7)
> Miroslav,  Looks like smbd is doing a getattr of everything in /dev
> 
> Add
> 
> dev_getattr_all_blk_files(smbd_t)
> dev_getattr_all_chr_files(smbd_t)    

Yes, it looks so.


Jim,
you can allow it for now using

# grep smbd /var/log/audit/audit.log | audit2allow -M mysamba
# semodule -i mysamba.pp


I am adding these rules to default policy.

Fixed in selinux-policy-3.6.32-92.fc12
Comment 11 Fedora Update System 2010-02-23 20:57:54 UTC 
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
Comment 12 Fedora Update System 2010-02-26 03:44:46 UTC 
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
Comment 13 Fedora Update System 2010-03-04 00:13:24 UTC 
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.