Bug 146557 - Samba and getattr / file browsers
Samba and getattr / file browsers
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-01-29 11:41 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-04 11:28:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2005-01-29 11:41:04 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
I get getattr denials for all the restricted types in my 
home directory. That's because browsing applications get 
inside a folder they can get to and try to getattr on everything
there. That's common to nautilus, mplayer (it has a file
browser), probably mozilla and anything that can browse 
around. That include samba. All I did was mount my home 
directory, and ls inside, and I got about 20 denials 
for various types there. 

For mplayer I did:

dontaudit $1_mplayer_t file_type:dir_file_class_set { getattr };

Is this wrong? There should be a standard way of 
solving this problem - maybe a macro that can be used
for all those applications.

Also, what exactly is the difference between an allow rule
and a dontaudit rule?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. See summary    

Additional info:
Comment 1 Ivan Gyurdiev 2005-01-29 18:37:55 EST
For example, why is the following necessary?
It makes sense to me that I should be able to see all the info.
Why not make a macro for such things that does not audit getattr.

[phantom@cobra ~]$ ls -lZ /var
?---------  ?        ?                                         account
drwxr-xr-x  root     root     system_u:object_r:var_t          cache
drwxr-xr-x  root     root     system_u:object_r:var_t          db
drwxr-xr-x  root     root     system_u:object_r:var_t          empty
?---------  ?        ?                                         gdm
drwxr-xr-x  root     root     system_u:object_r:var_lib_t      lib
drwxr-xr-x  root     root     system_u:object_r:var_t          local
?---------  ?        ?                                         lock
drwxr-xr-x  root     root     system_u:object_r:var_log_t      log
?---------  ?        ?                                         mail
?---------  ?        ?                                         named
drwx------  root     root     system_u:object_r:var_t          net-snmp
drwxr-xr-x  root     root     system_u:object_r:var_t          nis
drwxr-xr-x  root     root     system_u:object_r:var_t          opt
drwxr-xr-x  root     root     system_u:object_r:var_t          preserve
drwxr-xr-x  root     root     system_u:object_r:var_run_t      run
drwxr-xr-x  root     root     system_u:object_r:var_spool_t    spool
drwxrwxrwt  root     root     system_u:object_r:tmp_t          tmp
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t www
?---------  ?        ?                                         yp
Comment 2 Daniel Walsh 2005-01-31 15:51:52 EST
This should be brought up for discussion on the selinux list.

Also, what exactly is the difference between an allow rule
and a dontaudit rule?

Allow allows the action to happen.  Dontaudit does not allow the action to
happen but doesn't audit it.

I am not sure what the best thing to do here is.  By using the dontaudit, you
could loose valuable security information.  IE a rogue app searching your file

Comment 3 Ivan Gyurdiev 2005-02-04 11:28:11 EST
Closed (for now :)

Note You need to log in before you can comment on or make changes to this bug.