Bug 705148
Summary: | No audit logs of selinux denies for samba | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Joshua Weage <joshua.weage> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 5.6 | CC: | dwalsh |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-05-23 07:30:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joshua Weage
2011-05-16 19:07:37 UTC
Transferring this to SE Linux policy. This doesn't sound like an audit system problem. The AVC should be logged by SE Linux and the audit rules have no real effect (other than to add additional data). But the policy does have "no audit" controls and maybe that is causing the issue? It may be that way because a file server could flood the logs with AVCs under the right situation. Not sure... semodule -DB Will turn off the dontaudit rules. (semodule -B turns them back on) I would figure you need to label /disks directory as samba_share_t. # semanage fcontext -a -t samba_share_t '/disks(/.*)?' # restorecon -R -v /disks Should fix the problem. Thanks for the responses. I wasn't sure if this was intentional or not, but it is confusing not seeing any audit logs. Of course setting the appropriate context resolves the problem. What AVC's were you seeing when you disabled the dontaudits. I think part of the problem is we have dontaudits for search of default_t directories. In RHEL6 I believe we are now allowing search of these directories. Also # rpm -q selinux-policy Here is the AVC message: type=AVC msg=audit(1305913412.063:15): avc: denied { read } for pid=3280 comm="smbd" name="share" dev=dm-0 ino=443970 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir [root@testbox audit]# rpm -q selinux-policy selinux-policy-2.4.6-300.el5 You will need to label /share directory # semanage fcontext -a -t samba_share_t 'PATHTO/share(/.*)?' # restorecon -R -v PATHTO/share |