From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8 Description of problem: audit(1105575656.361:0): avc: denied { dac_override } for pid=6705 exe=/usr/sbin/smbd capability=1 scontext=user_u:system_r:smbd_t tcontext=user_u:system_r:smbd_t tclass=capability audit(1105575656.361:0): avc: denied { dac_read_search } for pid=6705 exe=/usr/sbin/smbd capability=2 scontext=user_u:system_r:smbd_t tcontext=user_u:system_r:smbd_t tclass=capability =========== I think I'll go give strict policy another shot... let's see how that goes... Version-Release number of selected component (if applicable): selinux-policy-targeted-1.20.1-3 How reproducible: Always Steps to Reproduce: 1. See summary Additional info:
"I think I'll go give strict policy another shot... let's see how that goes..." Maybe not - where are all the booleans for samba home dirs, etc.. Strict policy has a lot less boleans shown under samba-security-level.
Run it in permissive mode for a while and then give me the AVC Messages. I have added the dac permissions. Dan
What am I looking for? I tried reading/writing/creating/deleting files and directories, looking at content from windows, mounting shares, and doing nmblookup - nothing out of the usual... or should I leave it on for a longer time.. Actually I can't really reproduce the dac messages consistently anymore either. They used to show up when I restarted smb, but now they don't, and I just saw a single case of dac_override.
...or did you just want me to test the strict policy in permissive mode? Sorry if I misunderstood :)
Yes I want you to run all your tests in permissive mode and then get me the AVC messages. That way I am not fixing them one at a time. But it looks like you already did most of the testing and all you found is the two dac errors. Dan
Yes, I have seen no other errors. Why doesn't the strict policy show all the booleans (and smbd_enable_home_dirs in particular)? Is that intentional?
getsebool -a should show all booleans