Bug 166576 - avc denied messages for samba
avc denied messages for samba
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-23 11:08 EDT by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.27.1-2.22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-14 10:17:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2005-08-23 11:08:16 EDT
Description of problem:
I'm seeing the following messages.  I'm not sure that they are preventing
anything necessary for samba functionality or not, but it seems there should at
least a dontaudit line.

Aug 22 12:03:07 alexandria kernel: audit(1124733787.167:2646): avc:  denied  {
getattr } for  pid=5212 comm="smbd" name="/" dev=md1 ino=2
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:boot_t tclass=dir
Aug 22 12:03:07 alexandria kernel: audit(1124733787.168:2647): avc:  denied  {
getattr } for  pid=5212 comm="smbd" name="/" dev=dm-8 ino=2
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:default_t tclass=dir
Aug 22 12:03:07 alexandria kernel: audit(1124733787.168:2648): avc:  denied  {
getattr } for  pid=5212 comm="smbd" name="/" dev=devpts ino=1
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:devpts_t tclass=dir
Aug 22 12:53:36 alexandria kernel: audit(1124736816.213:2649): avc:  denied  {
getattr } for  pid=5212 comm="smbd" name="/" dev=tmpfs ino=5857
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:tmpfs_t tclass=dir


I use tmpfs for /tmp too.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-12

How reproducible:
Regularly
Comment 1 Daniel Walsh 2005-08-25 09:30:20 EDT
Fixed in selinux-policy-targeted-1.25.4-10
Comment 2 Walter Justen 2005-08-30 02:10:12 EDT
Thanks for the bug report. This particular bug was fixed and a update package
was published for download. Please feel free to report any further bugs you find.
Comment 3 Orion Poplawski 2005-10-05 12:55:47 EDT
More similar errors with selinux-policy-targeted-1.27.1-2.3.

type=AVC msg=audit(1128531131.967:62328): avc:  denied  { quotaget } for 
pid=31250 comm="smbd" scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:fs_t tclass=filesystem
type=AVC msg=audit(1128531157.196:62333): avc:  denied  { getattr } for 
pid=10164 comm="smbd" name="/" dev=rpc_pipefs ino=5168
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir
type=AVC msg=audit(1128531131.107:62323): avc:  denied  { getattr } for 
pid=10164 comm="smbd" name="/" dev=binfmt_misc ino=4162
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:binfmt_misc_fs_t
tclass=dir
type=AVC msg=audit(1128531131.051:62319): avc:  denied  { getattr } for 
pid=10164 comm="smbd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:tftpdir_t tclass=dir
type=AVC msg=audit(1128531131.051:62320): avc:  denied  { getattr } for 
pid=10164 comm="smbd" name="/" dev=dm-5 ino=2 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:mail_spool_t tclass=dir
Comment 4 Daniel Walsh 2005-10-05 13:11:56 EDT
The only one that I see as significant is the quotaget.  Do you have quota
turned on?


Any idea why smbd is getattr all these directories?

Comment 5 Orion Poplawski 2005-10-05 13:16:46 EDT
Quota's on the following:

/dev/mapper/rootvg-mail on /var/spool/mail type ext3 (rw,usrquota)
/dev/sdc1 on /export/home0 type ext3 (rw,usrquota)
/dev/sdd1 on /export/home1 type ext3 (rw,usrquota)

Really no idea on the getattr.  Perhaps it's just running through all the
mounts?  We're not sharing /var/spool/mail or any of the others listed in the
denied messages.

# mount
/dev/mapper/rootvg-root on / type ext3 (rw)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/md2 on /boot type ext3 (rw)
none on /dev/shm type tmpfs (rw)
/dev/mapper/rootvg-local on /export/local type ext3 (rw)
/dev/mapper/rootvg-tftpboot on /tftpboot type ext3 (rw)
/dev/mapper/rootvg-usr on /usr type ext3 (rw)
/dev/mapper/rootvg-var on /var type ext3 (rw)
/dev/mapper/rootvg-mail on /var/spool/mail type ext3 (rw,usrquota)
tmpfs on /tmp type tmpfs (rw)
/dev/sdc1 on /export/home0 type ext3 (rw,usrquota)
/dev/sdd1 on /export/home1 type ext3 (rw,usrquota)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
none on /var/named/chroot/proc type proc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
automount(pid1729) on /home type autofs (rw,fd=4,pgrp=1729,minproto=2,maxproto=4)
automount(pid1752) on /data type autofs (rw,fd=4,pgrp=1752,minproto=2,maxproto=4)
automount(pid1819) on /data4 type autofs (rw,fd=4,pgrp=1819,minproto=2,maxproto=4)
automount(pid1893) on /opt type autofs (rw,fd=4,pgrp=1893,minproto=2,maxproto=4)
automount(pid1972) on /fs type autofs (rw,fd=4,pgrp=1972,minproto=2,maxproto=4)
/export/local on /opt/local type none (rw,bind)
nfsd on /proc/fs/nfsd type nfsd (rw)
Comment 6 Daniel Walsh 2005-10-17 14:14:51 EDT
Fixed in selinux-policy-*-1.27.1-2.6
Comment 7 Orion Poplawski 2005-10-20 12:21:46 EDT
Still getting some similar messages:

Oct 20 08:58:24 alexandria kernel: audit(1129820304.735:3888): avc:  denied  {
getattr } for  pid=6213 comm="smbd" name="/" dev=selinuxfs ino=292
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:security_t tclass=dir
Oct 20 08:58:24 alexandria kernel: audit(1129820304.735:3889): avc:  denied  {
getattr } for  pid=6213 comm="smbd" name="/" dev=usbfs ino=2873
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Comment 8 Russell Coker 2006-03-20 06:18:22 EST
Version 1.27.1-2.22 has a fix for this.  
Comment 9 Orion Poplawski 2006-11-30 11:39:46 EST
Still seeing some of this on FC5 with selinux-policy-2.4.5-4.fc5:

type=AVC msg=audit(1164863966.810:359193): avc:  denied  { getattr } for 
pid=20025 comm="smbd" name="/" dev=dm-2 ino=2
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:tftpdir_t:s0
tclass=dir
type=AVC msg=audit(1164863966.810:359194): avc:  denied  { getattr } for 
pid=20025 comm="smbd" name="/" dev=dm-5 ino=2
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0
tclass=dir

/tftpboot and /var/spool/mail are separate filesystems.  They aren't shared by
samba.
Comment 10 Daniel Walsh 2007-02-14 10:17:52 EST
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy

Note You need to log in before you can comment on or make changes to this bug.