Description of problem: smbd wants to use map access on AppleDouble files prefixed with ._ but of course they inherit the samba_t label from the parent dir, which is apparently not allowing map access. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-283.17.fc27.noarch How reproducible: Always [chris@f27s tm]$ sealert -l 0a2ba7cd-6441-4d7a-b1c0-0e459676cdcb SELinux is preventing smbd from map access on the file /srv/tm/._chrissierra.sparsebundle. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /srv/tm/._chrissierra.sparsebundle default label should be var_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /srv/tm/._chrissierra.sparsebundle ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that smbd should be allowed map access on the ._chrissierra.sparsebundle file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'smbd' --raw | audit2allow -M my-smbd # semodule -X 300 -i my-smbd.pp Additional Information: Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:samba_share_t:s0 Target Objects /srv/tm/._chrissierra.sparsebundle [ file ] Source smbd Source Path smbd Port <Unknown> Host f27s.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f27s.localdomain Platform Linux f27s.localdomain 4.14.10-300.fc27.x86_64 #1 SMP Mon Jan 1 02:40:17 UTC 2018 x86_64 x86_64 Alert Count 118 First Seen 2018-01-02 14:05:35 MST Last Seen 2018-01-02 22:13:33 MST Local ID 0a2ba7cd-6441-4d7a-b1c0-0e459676cdcb Raw Audit Messages type=AVC msg=audit(1514956413.102:1303): avc: denied { map } for pid=6712 comm="smbd" path="/srv/tm/._chrissierra.sparsebundle" dev="dm-6" ino=1037 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=0 Hash: smbd,smbd_t,samba_share_t,file,map [chris@f27s tm]$
OK so I changed the type context to var_t as suggested and the errors stopped; but then later when the disk image was being closed on the client I get a new AVC: [chris@f27s tm]$ sealert -l 5bcb9805-ed83-43af-9b05-67af2cb368c2 SELinux is preventing smbd from read access on the file ._chrissierra.sparsebundle. ***** Plugin samba_share (75.5 confidence) suggests *********************** If you want to allow smbd to have read access on the ._chrissierra.sparsebundle file Then you need to change the label on '._chrissierra.sparsebundle' Do # semanage fcontext -a -t samba_share_t '._chrissierra.sparsebundle' # restorecon -v '._chrissierra.sparsebundle' ***** Plugin catchall_boolean (12.2 confidence) suggests ****************** If you want to allow samba to export all ro Then you must tell SELinux about this by enabling the 'samba_export_all_ro' boolean. Do setsebool -P samba_export_all_ro 1 ***** Plugin catchall_boolean (12.2 confidence) suggests ****************** If you want to allow samba to export all rw Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean. Do setsebool -P samba_export_all_rw 1 ***** Plugin catchall (1.97 confidence) suggests ************************** If you believe that smbd should be allowed read access on the ._chrissierra.sparsebundle file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'smbd' --raw | audit2allow -M my-smbd # semodule -X 300 -i my-smbd.pp Additional Information: Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:var_t:s0 Target Objects ._chrissierra.sparsebundle [ file ] Source smbd Source Path smbd Port <Unknown> Host f27s.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f27s.localdomain Platform Linux f27s.localdomain 4.14.10-300.fc27.x86_64 #1 SMP Mon Jan 1 02:40:17 UTC 2018 x86_64 x86_64 Alert Count 8 First Seen 2018-01-02 22:29:51 MST Last Seen 2018-01-02 22:29:52 MST Local ID 5bcb9805-ed83-43af-9b05-67af2cb368c2 Raw Audit Messages type=AVC msg=audit(1514957392.617:1401): avc: denied { read } for pid=6712 comm="smbd" name="._chrissierra.sparsebundle" dev="dm-6" ino=1037 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0 Hash: smbd,smbd_t,var_t,file,read [chris@f27s tm]$ So apparently smbd wants read, write and map access for this file.
This is bug in policy. I added missing rule. Label on file you mentioned should be samba_share_t Lukas.
Thanks. I already reverted it as var_t prevented read/write and that's worse than preventing map, which seemed to have no consequence.
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.