Bug 144959 - Samba capability issues
Summary: Samba capability issues
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-13 00:30 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:10 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2005-01-20 18:37:30 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ivan Gyurdiev 2005-01-13 00:30:40 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
audit(1105575656.361:0): avc:  denied  { dac_override } for  pid=6705
exe=/usr/sbin/smbd capability=1 scontext=user_u:system_r:smbd_t
tcontext=user_u:system_r:smbd_t tclass=capability

audit(1105575656.361:0): avc:  denied  { dac_read_search } for 
pid=6705 exe=/usr/sbin/smbd capability=2
scontext=user_u:system_r:smbd_t tcontext=user_u:system_r:smbd_t
tclass=capability

===========

I think I'll go give strict policy another shot... let's 
see how that goes...




Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.20.1-3

How reproducible:
Always

Steps to Reproduce:
1. See summary    

Additional info:
Comment 1 Ivan Gyurdiev 2005-01-13 00:34:23 UTC 
"I think I'll go give strict policy another shot... let's 
see how that goes..."

Maybe not - where are all the booleans for samba home dirs, etc..
Strict policy has a lot less boleans shown under samba-security-level.
Comment 2 Daniel Walsh 2005-01-13 01:14:59 UTC 
Run it in permissive mode for a while and then give me the AVC Messages.
I have added the dac permissions.

Dan
Comment 3 Ivan Gyurdiev 2005-01-13 01:53:18 UTC 
What am I looking for?
I tried reading/writing/creating/deleting files and directories,
looking at content from windows, mounting shares, and doing
nmblookup - nothing out of the usual... or should I leave it on 
for a longer time.. 

Actually I can't really reproduce the dac messages consistently
anymore either. They used to show up when I restarted smb, but now
they don't, and I just saw a single case of dac_override.
Comment 4 Ivan Gyurdiev 2005-01-13 02:05:31 UTC 
...or did you just want me to test the strict policy in permissive mode? 

Sorry if I misunderstood :)
Comment 5 Daniel Walsh 2005-01-13 14:36:24 UTC 
Yes I want you to run all your tests in permissive mode and then get
me the AVC messages.  That way I am not fixing them one at a time.  
But it looks like you already did most of the testing and all you
found is the two dac errors.

Dan
Comment 6 Ivan Gyurdiev 2005-01-13 18:25:30 UTC 
Yes, I have seen no other errors. 

Why doesn't the strict policy 
show all the booleans (and smbd_enable_home_dirs in particular)?
Is that intentional?
Comment 7 Daniel Walsh 2005-01-13 18:42:06 UTC 
getsebool -a 

should show all booleans
Note You need to log in before you can comment on or make changes to this bug.