Bug 1031896 - Selinux prevent samba work with nonsexist files
Selinux prevent samba work with nonsexist files
Status: CLOSED DUPLICATE of bug 1013878
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
20
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Guenther Deschner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-19 00:26 EST by Sergey Arsenyev
Modified: 2013-11-21 01:33 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 01:33:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sergey Arsenyev 2013-11-19 00:26:55 EST
Description of problem:
Selinux prevent some smbd activity with strange alerts

Version-Release number of selected component (if applicable):
samba-4.1.1-1.fc20.x86_64
selinux-policy-3.12.1-90.fc20.noarch

How reproducible:
work with samba joined to AD

Actual results:

SELinux is preventing /usr/sbin/smbd from setattr access on the file .

*****  Plugin samba_share (78.9 confidence) suggests   ***********************

If you want to allow smbd to have setattr access on the  file
Then необходимо изменить метку на «$FIX_TARGET_PATH»
Do
# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'
# restorecon  -v '$FIX_TARGET_PATH'

...

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:default_t:s0
Target Objects                 [ file ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Неизвестно>
Host                          hostname.domain.local
Source RPM Packages           samba-4.1.1-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     hostname.domain.local
Platform                      Linux hostname.domain.local 3.11.8-300.fc20.x86_64
                              #1 SMP Wed Nov 13 16:34:27 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-19 08:56:01 MSK
Last Seen                     2013-11-19 08:56:01 MSK
Local ID                      b68e241d-ef34-48cb-a6a0-cf972fd95283

Raw Audit Messages
type=AVC msg=audit(1384836961.803:133): avc:  denied  { setattr } for  pid=2518 comm="smbd" name="Thumbs.db" dev="dm-1" ino=131470429 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file


type=SYSCALL msg=audit(1384836961.803:133): arch=x86_64 syscall=setxattr success=yes exit=0 a0=7fbb435c7b30 a1=7fbb426f1c9b a2=7fbb435c7ed0 a3=34 items=0 ppid=814 pid=2518 auid=4294967295 uid=16777232 gid=0 euid=16777232 suid=0 fsuid=16777232 egid=16777216 sgid=0 fsgid=16777216 ses=4294967295 tty=(none) comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)

Hash: smbd,smbd_t,default_t,file,setattr

----------------------------


SELinux is preventing /usr/sbin/smbd from unlink access on the file hostname-044_0.

*****  Plugin samba_share (85.5 confidence) suggests   ***********************

If you want to allow smbd to have unlink access on the hostname-044_0 file
Then необходимо изменить метку на «hostname-044_0»

...

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                hostname-044_0 [ file ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Неизвестно>
Host                          hostname.domain.local
Source RPM Packages           samba-4.1.1-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     hostname.domain.local
Platform                      Linux hostname.domain.local 3.11.8-300.fc20.x86_64
                              #1 SMP Wed Nov 13 16:34:27 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-19 08:05:09 MSK
Last Seen                     2013-11-19 08:05:09 MSK
Local ID                      4472a08c-4744-498e-b5ed-1d381116a328

Raw Audit Messages
type=AVC msg=audit(1384833909.108:107): avc:  denied  { unlink } for  pid=1643 comm="smbd" name="hostname-044_0" dev="md0" ino=9306390 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1384833909.108:107): arch=x86_64 syscall=rename success=yes exit=0 a0=7fbb4356e190 a1=7fbb43568e50 a2=7fbb435690d8 a3=7fffd6434900 items=0 ppid=814 pid=1643 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)

Hash: smbd,smbd_t,tmp_t,file,unlink

---------------------------------------------
SELinux is preventing /usr/sbin/smbd from 'read, write' accesses on the file /SYSV07021999 (deleted).

*****  Plugin restorecon (63.0 confidence) suggests   ************************

If необходимо исправить метку.
Стандартная метка для /SYSV07021999 (deleted): etc_runtime_t.
Then можно выполнить restorecon.
Do
# /sbin/restorecon -v /SYSV07021999 (deleted)

...

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /SYSV07021999 (deleted) [ file ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Неизвестно>
Host                          hostname.domain.local
Source RPM Packages           samba-4.1.1-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     hostname.domain.local
Platform                      Linux hostname.domain.local 3.11.8-300.fc20.x86_64
                              #1 SMP Wed Nov 13 16:34:27 UTC 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-10-24 10:06:05 MSK
Last Seen                     2013-11-19 05:44:05 MSK
Local ID                      d9a6b5c6-8959-4d33-8b86-7ce471b7c769

Raw Audit Messages
type=AVC msg=audit(1384825445.592:47): avc:  denied  { read write } for  pid=810 comm="smbd" path=2F535953563037303231393939202864656C6574656429 dev="tmpfs" ino=0 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file


type=SYSCALL msg=audit(1384825445.592:47): arch=x86_64 syscall=shmat success=yes exit=140442259914752 a0=0 a1=0 a2=0 a3=7fbb4353e360 items=0 ppid=1 pid=810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)

Hash: smbd,smbd_t,tmpfs_t,file,read,write
Comment 1 Alexander Bokovoy 2013-11-19 01:22:12 EST
It looks like you are sharing files from a place that doesn't have proper SELinux label. You need to follow SELinux instructions in the report you published in this bug.

Can you show your smb.conf?
Comment 2 Jörg Klemenz 2013-11-20 07:16:53 EST
Is this a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1013878 ?
Comment 3 Sergey Arsenyev 2013-11-21 00:37:15 EST
(In reply to Alexander Bokovoy from comment #1)
> It looks like you are sharing files from a place that doesn't have proper
> SELinux label. You need to follow SELinux instructions in the report you
> published in this bug.
> 
> Can you show your smb.conf?

 I haven't files like /SYSV07021999, hostname-044_0, $FIX_TARGET_PATH etc. at all.
 And i don't share it. 

 There is smb.conf (without comments):
	workgroup = domain
	password server = pdc.domain.local
	realm = DOMAIN.LOCAL
	security = ads
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	winbind use default domain = yes
	winbind offline logon = true
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind separator = +


	server string = Samba Server Version %v
	log file = /var/log/samba/log.%m
	max log size = 50

	domain master = no
	local master = no

	load printers = no
	show add printer wizard = no
	printcap name = /dev/null
	disable spoolss = yes

	guest ok = yes
	guest account = oracle
	store dos attributes = yes
	map acl inherit = yes

[homes]
	comment = Home Directories
	browseable = no
	writable = yes
	valid users = %S

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	guest ok = yes
	browseable = no

[Profiles]
	path = /var/lib/samba/profiles
	browseable = no
	guest ok = yes

[FILES]
	comment = Дистрибутивы программ
	path = /sambapath/files
	guest ok = yes
	write list = @"DOMAIN+domain users"
	create mask = 0775
	directory mode = 0775

 It's like Selinux shows incorrect file names or block something else.

 When it shows right path for files with inproper labels I relabel it.
Comment 4 Alexander Bokovoy 2013-11-21 01:33:17 EST
Ok. Then we should treat this bug as a duplicate bug 1013878. Unfortunately, there is no directly available solution yet but please follow that bug for the solution to come.

*** This bug has been marked as a duplicate of bug 1013878 ***

Note You need to log in before you can comment on or make changes to this bug.