Bug 144959 – Samba capability issues

Bug 144959 - Samba capability issues

Summary:	Samba capability issues

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-01-12 19:30 EST by Ivan Gyurdiev
Modified:	2007-11-30 17:10 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-01-20 13:37:30 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Ivan Gyurdiev 2005-01-12 19:30:40 EST

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
audit(1105575656.361:0): avc:  denied  { dac_override } for  pid=6705
exe=/usr/sbin/smbd capability=1 scontext=user_u:system_r:smbd_t
tcontext=user_u:system_r:smbd_t tclass=capability

audit(1105575656.361:0): avc:  denied  { dac_read_search } for 
pid=6705 exe=/usr/sbin/smbd capability=2
scontext=user_u:system_r:smbd_t tcontext=user_u:system_r:smbd_t
tclass=capability

===========

I think I'll go give strict policy another shot... let's 
see how that goes...




Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.20.1-3

How reproducible:
Always

Steps to Reproduce:
1. See summary    

Additional info:

Comment 1 Ivan Gyurdiev 2005-01-12 19:34:23 EST

"I think I'll go give strict policy another shot... let's 
see how that goes..."

Maybe not - where are all the booleans for samba home dirs, etc..
Strict policy has a lot less boleans shown under samba-security-level.

Comment 2 Daniel Walsh 2005-01-12 20:14:59 EST

Run it in permissive mode for a while and then give me the AVC Messages.
I have added the dac permissions.

Dan

Comment 3 Ivan Gyurdiev 2005-01-12 20:53:18 EST

What am I looking for?
I tried reading/writing/creating/deleting files and directories,
looking at content from windows, mounting shares, and doing
nmblookup - nothing out of the usual... or should I leave it on 
for a longer time.. 

Actually I can't really reproduce the dac messages consistently
anymore either. They used to show up when I restarted smb, but now
they don't, and I just saw a single case of dac_override.

Comment 4 Ivan Gyurdiev 2005-01-12 21:05:31 EST

...or did you just want me to test the strict policy in permissive mode? 

Sorry if I misunderstood :)

Comment 5 Daniel Walsh 2005-01-13 09:36:24 EST

Yes I want you to run all your tests in permissive mode and then get
me the AVC messages.  That way I am not fixing them one at a time.  
But it looks like you already did most of the testing and all you
found is the two dac errors.

Dan

Comment 6 Ivan Gyurdiev 2005-01-13 13:25:30 EST

Yes, I have seen no other errors. 

Why doesn't the strict policy 
show all the booleans (and smbd_enable_home_dirs in particular)?
Is that intentional?

Comment 7 Daniel Walsh 2005-01-13 13:42:06 EST

getsebool -a 

should show all booleans

Note You need to log in before you can comment on or make changes to this bug.