Bug 623763

Summary: smbd incorrectly references "/home" and SELinux has to block the reference.
Product: [Fedora] Fedora Reporter: Bruce vaNorman <brucevannorman>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, gdeschner, jlayton, mgrepl, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-54.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-11 09:07:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bruce vaNorman 2010-08-12 17:38:38 UTC 
Description of problem:
Millions of SELinux alerts that Samba (smbd) is trying to read "/home". Thankfully, SELinux prevents this.

Version-Release number of selected component (if applicable):
3.5.4-62.fc13

How reproducible:
- I have a number of public Samba shares under /srv/... (on a separate drive) which work correctly. Note: "/home" is on a different separate drive.
- I have no Samba users and don't want any
- my Samba guest is "nobody"
- /etc/samba/smb.conf has a [homes] section. I've tried deleting it and also tried all sorts of sledge hammer tricks (path = /dev/null) to no avail.

Steps to Reproduce:
1. start smbd daemon
2.
3.
  
Actual results:
I have not found any help on the web to completely block Samba from attempting user file sharing. I have gone through many 10's of pages on how to restrict and enable this; but, none on total removal.

Expected results:
I want to stop smbd from looking at "/home" and any of it's sub-directories and to stop bugging SELinux with useless alerts.


Additional info:
Comment 1 Simo Sorce 2010-08-26 14:05:39 UTC 
This is probably caused by the fact that /home is a mount point.
For internal reasons samba enumerates mount points, but doesn't try to access anything that isn't explicitly exported through a share.

I think the SELinux policy should be changed, if possible, to ignore this particular AVC on mount points.

Re-assigning to SELinux, I think it should be handled there.
Comment 2 Daniel Walsh 2010-08-26 17:45:04 UTC 
Miroslav add

files_dontaudit_list_all_mountpoints(smbd_t)
########################################
## <summary>
##	Do not audit listing of all mount points.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`files_dontaudit_list_all_mountpoints',`
	gen_require(`
		attribute mountpoint;
	')

	dontaudit $1 mountpoint:dir list_dir_perms;
')
Comment 3 Miroslav Grepl 2010-08-30 17:23:46 UTC 
Fixed in selinux-policy-3.7.19-52.fc13.
Comment 4 Fedora Update System 2010-09-02 14:56:46 UTC 
selinux-policy-3.7.19-54.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
Comment 5 Fedora Update System 2010-09-02 20:36:23 UTC 
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
Comment 6 Fedora Update System 2010-09-11 09:07:09 UTC 
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.