Bug 1120331 - SELinux is preventing /usr/sbin/smbd from read access on the directory .
Summary: SELinux is preventing /usr/sbin/smbd from read access on the directory .
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-16 18:39 UTC by neil.boemio
Modified: 2015-03-05 10:42 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-14.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:42:15 UTC


Attachments (Terms of Use)
smb.conf (11.37 KB, text/plain)
2014-10-06 18:36 UTC, neil.boemio
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0458 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-03-05 15:17:00 UTC

Description neil.boemio 2014-07-16 18:39:17 UTC
Description of problem:

After configuring Samba, I connect to my server from my windows machine using \\servername.  Then when browsing through directories in Windows Explorer (not even attempting to create, modify or delete anything) I eventually get a SELinux Security alert pop up on the server console.  "AVC denial, click icon to view".  The error is:

SELinux is preventing /usr/sbin/smbd from read access on the directory .

But it does not show what directory.

Could be similar to bug 1115987 ?


Version-Release number of selected component (if applicable):
samba-4.1.1-35.el7_0.x86_64

How reproducible:
Not sure exactly what triggers it, but I just browse through directories until it pops up.  Not even the same directories each time.


Additional info:

SELinux is preventing /usr/sbin/smbd from read access on the directory .

*****  Plugin samba_share (98.5 confidence) suggests   ***********************

If you want to allow smbd to have read access on the  directory
Then you need to change the label on '$FIX_TARGET_PATH'
Do
# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'
# restorecon  -v '$FIX_TARGET_PATH'

*****  Plugin catchall (2.42 confidence) suggests   **************************

If you believe that smbd should be allowed read access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:default_context_t:s0
Target Objects                 [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          intertest2nyc.fgic.com
Source RPM Packages           samba-4.1.1-35.el7_0.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.10.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     intertest2nyc.fgic.com
Platform                      Linux intertest2nyc.fgic.com
                              3.10.0-123.4.2.el7.x86_64 #1 SMP Thu Jun 5
                              21:43:43 EDT 2014 x86_64 x86_64
Alert Count                   7
First Seen                    2014-07-16 00:50:23 EDT
Last Seen                     2014-07-16 14:24:09 EDT
Local ID                      9c2aa424-1870-4f8b-af88-fbe02ca2838f

Raw Audit Messages
type=AVC msg=audit(1405535049.328:567): avc:  denied  { read } for  pid=13058 comm="smbd" name="contexts" dev="dm-0" ino=135892241 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir


type=SYSCALL msg=audit(1405535049.328:567): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f309f88bfa0 a2=90800 a3=0 items=0 ppid=2171 pid=13058 auid=4294967295 uid=1000 gid=0 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)

Hash: smbd,smbd_t,default_context_t,dir,read

Comment 2 neil.boemio 2014-07-16 18:57:14 UTC
I tried creating and deleting a file (from my windows machine) and got this similar message:

SELinux is preventing /usr/sbin/smbd from getattr access on the directory .

FYI ... I was able to create and delete just fine.

Not sure if this is related to the issue, but one thing I noticed is that when I create a file, it does not actually show the change on my windows machine.  I have to refresh in order to see the file.  Same thing with deleting.  After I delete a file, it still shows in explorer until I refresh.  This did not happen when I was on RHEL 6.5.  It seems that maybe RHEL 7 (or Samba) is not automatically sending back the updated file/directory info to the client?  Just a guess.

Comment 3 neil.boemio 2014-08-04 13:40:50 UTC
Any ideas on this?

Comment 4 Sumit Bose 2014-09-16 10:15:45 UTC
(Please note that there is no samba4 component in RHEL7 anymore)

Please check if all directories you are sharing with Samba are labeled  public_content_t or public_content_rw_t, see 'man samba_selinux' for details.

To find out the specific directory related to the SELinux message please take the inode number from the message (ino=135892241) and use this number with find  on the filesystem on the device dm-0 (I guess it is your / file system), e.g:

find / -inum 135892241

HTH

Comment 5 neil.boemio 2014-09-17 17:46:44 UTC
So I took a look at two recent alerts I just got a few minutes ago and the inode numbers show the following:

[root@intertest2nyc ~]# find / -inum 4026531857
/proc/irq

[root@intertest2nyc ~]# find / -inum 1158
/sys/fs/pstore
/sys/bus/node/devices

But I'm not navigating to ANY of these directories.  Why would it alert about them?  I don't understand.

Comment 6 Sumit Bose 2014-09-19 08:59:36 UTC
ah, sorry, /proc and /sys are on different file systems, please retry with

find / -xdev -inum 135892241

Btw, to check if dm-0 from the SELinux message is really your / file system you can call

findmnt /dev/dm-0

Comment 7 neil.boemio 2014-09-19 18:12:35 UTC
[root@intertest2nyc /]# findmnt /dev/dm-0
TARGET SOURCE                FSTYPE OPTIONS
/      /dev/mapper/rhel-root xfs    rw,relatime,seclabel,attr2,inode64,noquota


This comes up with no results:

[root@intertest2nyc /]# find / -xdev -inum 298249
[root@intertest2nyc /]#

Comment 8 Sumit Bose 2014-09-23 10:54:27 UTC
Reassigning to selinux-policy to see if they have additional ideas about how to figure out which directory causes the issue.

Comment 9 Milos Malik 2014-10-06 07:45:33 UTC
Why smbd needs to access /etc/selinux/targeted/contexts directory ?

# matchpathcon /etc/selinux/targeted/contexts/
/etc/selinux/targeted/contexts	system_u:object_r:default_context_t:s0
# sesearch -s smbd_t -t default_context_t -c dir -p read -A -C

#

Comment 10 Sumit Bose 2014-10-06 08:36:10 UTC
Can you please attach your smb.conf file. Are you sharing or /etc or sub-directories of /etc by chance?

Comment 11 neil.boemio 2014-10-06 18:36:03 UTC
Not sharing these.

Attached smb.conf

Comment 12 neil.boemio 2014-10-06 18:36:58 UTC
Created attachment 944324 [details]
smb.conf

Comment 13 Sumit Bose 2014-10-07 07:57:52 UTC
Thank you, so you are basically exporting home directories. I assume you have called 'setsebool -P samba_enable_home_dirs on' as recommended in the header of the smb.conf.

Can you check if there are files in one of the home directories with a default_context_t label by calling

find /your/home/directory/path -context '*default_context_t*'

Comment 14 neil.boemio 2014-10-07 13:54:43 UTC
I actually didn't have samba_enable_home_dirs set.  But I set that and I still get the alerts.

One thing I should have mentioned which is probably not a usual setup, is that for my account, I have my home directory set to / so that I can get to everything on the server.  Maybe this has something to do with the alerts?  Is there a different way to configure this which would still allow me access to all directories?

[root@interdevnyc /]# find / -context '*default_context_t*'
/etc/selinux/targeted/contexts
/etc/selinux/targeted/contexts/customizable_types
/etc/selinux/targeted/contexts/dbus_contexts
/etc/selinux/targeted/contexts/default_contexts
/etc/selinux/targeted/contexts/default_type
/etc/selinux/targeted/contexts/failsafe_context
/etc/selinux/targeted/contexts/initrc_context
/etc/selinux/targeted/contexts/lxc_contexts
/etc/selinux/targeted/contexts/removable_context
/etc/selinux/targeted/contexts/securetty_types
/etc/selinux/targeted/contexts/sepgsql_contexts
/etc/selinux/targeted/contexts/systemd_contexts
/etc/selinux/targeted/contexts/userhelper_context
/etc/selinux/targeted/contexts/users
/etc/selinux/targeted/contexts/users/guest_u
/etc/selinux/targeted/contexts/users/root
/etc/selinux/targeted/contexts/users/staff_u
/etc/selinux/targeted/contexts/users/sysadm_u
/etc/selinux/targeted/contexts/users/unconfined_u
/etc/selinux/targeted/contexts/users/user_u
/etc/selinux/targeted/contexts/users/xguest_u
/etc/selinux/targeted/contexts/virtual_domain_context
/etc/selinux/targeted/contexts/virtual_image_context
/etc/selinux/targeted/contexts/x_contexts
/etc/selinux/targeted/contexts/netfilter_contexts

Comment 15 Sumit Bose 2014-10-08 07:52:25 UTC
This is indeed special and most probably the cause of the SELinux alerts you are seeing. Even if you do not access those files directly there might be task running on the client, e.g. indexers, which crawl through all directories.

Please try to set the SELinux boolean samba_export_all_ro or samba_export_all_rw as mentioned in the header of smb.conf or in the samba_selinux man page.

Comment 16 neil.boemio 2014-10-08 13:56:55 UTC
I already have samba_export_all_rw turned on.

Comment 17 Miroslav Grepl 2014-10-13 10:14:32 UTC
We should dontaudit them.

Comment 18 Miroslav Grepl 2014-10-13 10:19:51 UTC
commit 15647b4c9570dbd9e81d96bcb95ae4bb7e40d3f1
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Oct 13 12:19:31 2014 +0200

    Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.

Comment 21 Miroslav Grepl 2014-12-02 13:06:22 UTC
commit b93113879fe766cdc37878bf44afe466874e3981
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Dec 1 10:37:27 2014 +0100

    dontaudit list security dirs for samba domain.

Comment 24 Miroslav Grepl 2014-12-12 15:00:44 UTC
commit 478d4843a664fcb34c5399048a83719db0608769
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Dec 12 15:58:56 2014 +0100

    Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean.

Comment 28 errata-xmlrpc 2015-03-05 10:42:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html


Note You need to log in before you can comment on or make changes to this bug.