Bug 705148

Summary: No audit logs of selinux denies for samba
Product: Red Hat Enterprise Linux 5 Reporter: Joshua Weage <joshua.weage>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.6CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-23 07:30:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joshua Weage 2011-05-16 19:07:37 UTC 
Description of problem:

Selinux is denying Samba access to shared directories.  The smbd.log file contains error messages, but the audit.log does not.  Setting smbd_disable_trans to on resolves the issue.

Version-Release number of selected component (if applicable):
1.7.18

How reproducible:
Always

Steps to Reproduce:
1. Fresh install of 5.6.
2. Setup a Samba share with security = share and guest access = ok.
3. 
  
Actual results:
smbd.log file contains the following errors:
'/disks/d1' does not exist of permission denied with connecting to [d1] Error was Permission denied

audit.log contains no messages for smbd.

Expected results:

Expect to see audit deny messages.

Additional info:

It appears as though other audit related messages are also not logged for Samba.  Attempting to share home directories without enabling the appropriate selinux boolean also results in no audit trail.
Comment 1 Steve Grubb 2011-05-16 23:20:55 UTC 
Transferring this to SE Linux policy. This doesn't sound like an audit system problem. The AVC should be logged by SE Linux and the audit rules have no real effect (other than to add additional data). But the policy does have "no audit" controls and maybe that is causing the issue? It may be that way because a file server could flood the logs with AVCs under the right situation. Not sure...
Comment 2 Daniel Walsh 2011-05-17 07:55:12 UTC 
semodule -DB 

Will turn off the dontaudit rules. (semodule -B turns them back on)

I would figure you need to label /disks directory as samba_share_t.

# semanage fcontext -a -t samba_share_t '/disks(/.*)?'
# restorecon -R -v /disks


Should fix the problem.
Comment 3 Joshua Weage 2011-05-17 18:09:41 UTC 
Thanks for the responses.  I wasn't sure if this was intentional or not, but it is confusing not seeing any audit logs.

Of course setting the appropriate context resolves the problem.
Comment 4 Daniel Walsh 2011-05-18 06:03:58 UTC 
What AVC's were you seeing when you disabled the dontaudits.  I think part of the problem is we have dontaudits for search of default_t directories.  In RHEL6 I believe we are now allowing search of these directories.
Comment 5 Miroslav Grepl 2011-05-19 15:35:38 UTC 
Also

# rpm -q selinux-policy
Comment 6 Joshua Weage 2011-05-20 17:52:30 UTC 
Here is the AVC message:

type=AVC msg=audit(1305913412.063:15): avc:  denied  { read } for  pid=3280 comm="smbd" name="share" dev=dm-0 ino=443970 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir


[root@testbox audit]# rpm -q selinux-policy
selinux-policy-2.4.6-300.el5
Comment 7 Miroslav Grepl 2011-05-23 07:30:34 UTC 
You will need to label /share directory

# semanage fcontext -a -t samba_share_t 'PATHTO/share(/.*)?'
# restorecon -R -v PATHTO/share