Description of problem: Selinux prevent some smbd activity with strange alerts Version-Release number of selected component (if applicable): samba-4.1.1-1.fc20.x86_64 selinux-policy-3.12.1-90.fc20.noarch How reproducible: work with samba joined to AD Actual results: SELinux is preventing /usr/sbin/smbd from setattr access on the file . ***** Plugin samba_share (78.9 confidence) suggests *********************** If you want to allow smbd to have setattr access on the file Then необходимо изменить метку на «$FIX_TARGET_PATH» Do # semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH' ... Additional Information: Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:default_t:s0 Target Objects [ file ] Source smbd Source Path /usr/sbin/smbd Port <Неизвестно> Host hostname.domain.local Source RPM Packages samba-4.1.1-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-90.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name hostname.domain.local Platform Linux hostname.domain.local 3.11.8-300.fc20.x86_64 #1 SMP Wed Nov 13 16:34:27 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-11-19 08:56:01 MSK Last Seen 2013-11-19 08:56:01 MSK Local ID b68e241d-ef34-48cb-a6a0-cf972fd95283 Raw Audit Messages type=AVC msg=audit(1384836961.803:133): avc: denied { setattr } for pid=2518 comm="smbd" name="Thumbs.db" dev="dm-1" ino=131470429 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=SYSCALL msg=audit(1384836961.803:133): arch=x86_64 syscall=setxattr success=yes exit=0 a0=7fbb435c7b30 a1=7fbb426f1c9b a2=7fbb435c7ed0 a3=34 items=0 ppid=814 pid=2518 auid=4294967295 uid=16777232 gid=0 euid=16777232 suid=0 fsuid=16777232 egid=16777216 sgid=0 fsgid=16777216 ses=4294967295 tty=(none) comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) Hash: smbd,smbd_t,default_t,file,setattr ---------------------------- SELinux is preventing /usr/sbin/smbd from unlink access on the file hostname-044_0. ***** Plugin samba_share (85.5 confidence) suggests *********************** If you want to allow smbd to have unlink access on the hostname-044_0 file Then необходимо изменить метку на «hostname-044_0» ... Additional Information: Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects hostname-044_0 [ file ] Source smbd Source Path /usr/sbin/smbd Port <Неизвестно> Host hostname.domain.local Source RPM Packages samba-4.1.1-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-90.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name hostname.domain.local Platform Linux hostname.domain.local 3.11.8-300.fc20.x86_64 #1 SMP Wed Nov 13 16:34:27 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-11-19 08:05:09 MSK Last Seen 2013-11-19 08:05:09 MSK Local ID 4472a08c-4744-498e-b5ed-1d381116a328 Raw Audit Messages type=AVC msg=audit(1384833909.108:107): avc: denied { unlink } for pid=1643 comm="smbd" name="hostname-044_0" dev="md0" ino=9306390 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1384833909.108:107): arch=x86_64 syscall=rename success=yes exit=0 a0=7fbb4356e190 a1=7fbb43568e50 a2=7fbb435690d8 a3=7fffd6434900 items=0 ppid=814 pid=1643 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) Hash: smbd,smbd_t,tmp_t,file,unlink --------------------------------------------- SELinux is preventing /usr/sbin/smbd from 'read, write' accesses on the file /SYSV07021999 (deleted). ***** Plugin restorecon (63.0 confidence) suggests ************************ If необходимо исправить метку. Стандартная метка для /SYSV07021999 (deleted): etc_runtime_t. Then можно выполнить restorecon. Do # /sbin/restorecon -v /SYSV07021999 (deleted) ... Additional Information: Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /SYSV07021999 (deleted) [ file ] Source smbd Source Path /usr/sbin/smbd Port <Неизвестно> Host hostname.domain.local Source RPM Packages samba-4.1.1-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-90.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name hostname.domain.local Platform Linux hostname.domain.local 3.11.8-300.fc20.x86_64 #1 SMP Wed Nov 13 16:34:27 UTC 2013 x86_64 x86_64 Alert Count 6 First Seen 2013-10-24 10:06:05 MSK Last Seen 2013-11-19 05:44:05 MSK Local ID d9a6b5c6-8959-4d33-8b86-7ce471b7c769 Raw Audit Messages type=AVC msg=audit(1384825445.592:47): avc: denied { read write } for pid=810 comm="smbd" path=2F535953563037303231393939202864656C6574656429 dev="tmpfs" ino=0 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=SYSCALL msg=audit(1384825445.592:47): arch=x86_64 syscall=shmat success=yes exit=140442259914752 a0=0 a1=0 a2=0 a3=7fbb4353e360 items=0 ppid=1 pid=810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) Hash: smbd,smbd_t,tmpfs_t,file,read,write
It looks like you are sharing files from a place that doesn't have proper SELinux label. You need to follow SELinux instructions in the report you published in this bug. Can you show your smb.conf?
Is this a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1013878 ?
(In reply to Alexander Bokovoy from comment #1) > It looks like you are sharing files from a place that doesn't have proper > SELinux label. You need to follow SELinux instructions in the report you > published in this bug. > > Can you show your smb.conf? I haven't files like /SYSV07021999, hostname-044_0, $FIX_TARGET_PATH etc. at all. And i don't share it. There is smb.conf (without comments): workgroup = domain password server = pdc.domain.local realm = DOMAIN.LOCAL security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind use default domain = yes winbind offline logon = true winbind enum users = Yes winbind enum groups = Yes winbind separator = + server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 domain master = no local master = no load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes guest ok = yes guest account = oracle store dos attributes = yes map acl inherit = yes [homes] comment = Home Directories browseable = no writable = yes valid users = %S [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = yes browseable = no [Profiles] path = /var/lib/samba/profiles browseable = no guest ok = yes [FILES] comment = Дистрибутивы программ path = /sambapath/files guest ok = yes write list = @"DOMAIN+domain users" create mask = 0775 directory mode = 0775 It's like Selinux shows incorrect file names or block something else. When it shows right path for files with inproper labels I relabel it.
Ok. Then we should treat this bug as a duplicate bug 1013878. Unfortunately, there is no directly available solution yet but please follow that bug for the solution to come. *** This bug has been marked as a duplicate of bug 1013878 ***