Bug 146557 - Samba and getattr / file browsers
Summary: Samba and getattr / file browsers
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-29 16:41 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-02-04 16:28:11 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Ivan Gyurdiev 2005-01-29 16:41:04 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
I get getattr denials for all the restricted types in my 
home directory. That's because browsing applications get 
inside a folder they can get to and try to getattr on everything
there. That's common to nautilus, mplayer (it has a file
browser), probably mozilla and anything that can browse 
around. That include samba. All I did was mount my home 
directory, and ls inside, and I got about 20 denials 
for various types there. 

For mplayer I did:

dontaudit $1_mplayer_t file_type:dir_file_class_set { getattr };

Is this wrong? There should be a standard way of 
solving this problem - maybe a macro that can be used
for all those applications.

Also, what exactly is the difference between an allow rule
and a dontaudit rule?


Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.5-2

How reproducible:
Always

Steps to Reproduce:
1. See summary    

Additional info:
Comment 1 Ivan Gyurdiev 2005-01-29 23:37:55 UTC 
For example, why is the following necessary?
It makes sense to me that I should be able to see all the info.
Why not make a macro for such things that does not audit getattr.

[phantom@cobra ~]$ ls -lZ /var
?---------  ?        ?                                         account
drwxr-xr-x  root     root     system_u:object_r:var_t          cache
drwxr-xr-x  root     root     system_u:object_r:var_t          db
drwxr-xr-x  root     root     system_u:object_r:var_t          empty
?---------  ?        ?                                         gdm
drwxr-xr-x  root     root     system_u:object_r:var_lib_t      lib
drwxr-xr-x  root     root     system_u:object_r:var_t          local
?---------  ?        ?                                         lock
drwxr-xr-x  root     root     system_u:object_r:var_log_t      log
?---------  ?        ?                                         mail
?---------  ?        ?                                         named
drwx------  root     root     system_u:object_r:var_t          net-snmp
drwxr-xr-x  root     root     system_u:object_r:var_t          nis
drwxr-xr-x  root     root     system_u:object_r:var_t          opt
drwxr-xr-x  root     root     system_u:object_r:var_t          preserve
drwxr-xr-x  root     root     system_u:object_r:var_run_t      run
drwxr-xr-x  root     root     system_u:object_r:var_spool_t    spool
drwxrwxrwt  root     root     system_u:object_r:tmp_t          tmp
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t www
?---------  ?        ?                                         yp
Comment 2 Daniel Walsh 2005-01-31 20:51:52 UTC 
This should be brought up for discussion on the selinux list.

Also, what exactly is the difference between an allow rule
and a dontaudit rule?

Allow allows the action to happen.  Dontaudit does not allow the action to
happen but doesn't audit it.

I am not sure what the best thing to do here is.  By using the dontaudit, you
could loose valuable security information.  IE a rogue app searching your file
system.
Comment 3 Ivan Gyurdiev 2005-02-04 16:28:11 UTC 
Closed (for now :)
Note You need to log in before you can comment on or make changes to this bug.