This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 188367 - selinux blocks create dir for smbd
selinux blocks create dir for smbd
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
ia64 Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-08 12:11 EDT by Toby Ovod-Everett
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: -2.2.34-3.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-01 16:14:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Toby Ovod-Everett 2006-04-08 12:11:56 EDT
Description of problem:
I have home directories shared out via Samba and everything works except that 
the creation and removal of directories is blocked by selinux

Version-Release number of selected component (if applicable):
system-config-samba-1.2.34-1
samba-client-3.0.22-1.fc5
samba-3.0.22-1.fc5
samba-common-3.0.22-1.fc5
selinux-policy-targeted-2.2.25-3.fc5
libselinux-1.30-1.fc5
libselinux-python-1.30-1.fc5
selinux-policy-2.2.25-3.fc5
libselinux-1.30-1.fc5

How reproducible:
Happens everytime I try to md or rd from my Windows XP SP2 box via Samba.  
There are entries in the /var/log/messages indicating that the attempt was 
denied by selinux.


Steps to Reproduce:
1. Install FC5 ia64 including Samba

2. Configure Samba as follows:
* Modify the following lines in /etc/samba/smb.conf:
    workgroup = OVOD-EVERETT
* Append the following line after the exists hosts allow line:
   hosts allow = 192.168.0. 127.
* Append the following line to the “[homes]” section:
   hide files = /Thumbs.db*/desktop.ini/
* Run system-config-securitylevel:
  * On the SELinux tab:
    * Open “Modify SELinux Policy”
    * Under Samba, check “Allow Samba to share users home directories”
* Go to System->Administration->Server Settings->Services
  * Go to Edit Runlevel->Runlevel All
  * Check “smb” in all three columns
  * Click “Save”
* Reboot (or start smb service)

3. Mount a user's home directory from Win XP SP2 box

4. Attempt to create or remove a directory

5. Observe the following in the /var/log/messages file:

Apr  8 08:01:57 vin kernel: audit(1144512117.816:21): avc:  denied  { create } 
for  pid=2511 comm="smbd" name="foo" scontext=system_u:system_r:smbd_t:s0 
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
Apr  8 08:15:37 vin kernel: audit(1144512937.506:22): avc:  denied  { rmdir } 
for  pid=2511 comm="smbd" name="foo" dev=sda1 ino=7678492 
scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:user_home_t:s0 
tclass=dir

6. Note that directory creation and removal works fine when logged in via sshd.

7. Note that file creation and removal works fine via Samba.

  
Actual results:
Cannot create or remove directories via Samba.

Expected results:
Can create or remove directories via Samba.

Additional info:
I'm not sure whether this gets addressed via the samba team or the selinux 
team.  I guessed samba because it is my understanding that the selinux policy 
is now modular, but if I'm wrong please reassign as appropriate.
Comment 1 Jonathan Underwood 2006-04-25 08:22:25 EDT
I see this too (on i386):

selinux-policy-targeted-2.2.29-3.fc5
selinux-policy-2.2.29-3.fc5
samba-common-3.0.22-1.fc5
samba-3.0.22-1.fc5
audit(1145962448.002:180): avc:  denied  { getattr } for  pid=25069 comm="smbd"
name=".Xauthority" dev=hda5 ino=10846572 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
audit(1145962468.107:181): avc:  denied  { create } for  pid=25069 comm="smbd"
name=4E657720466F6C646572 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
audit(1145962468.111:182): avc:  denied  { create } for  pid=25069 comm="smbd"
name=4E657720466F6C646572 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
audit(1145962468.111:183): avc:  denied  { create } for  pid=25069 comm="smbd"
name=4E657720466F6C64657220283229 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
audit(1145962468.115:184): avc:  denied  { create } for  pid=25069 comm="smbd"
name=4E657720466F6C64657220283229 scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir

Comment 2 Jonathan Underwood 2006-04-25 08:42:04 EDT
Note: the arch for this bug needs changing from ia64 to ALL.
Comment 3 Daniel Walsh 2006-04-25 09:42:04 EDT
Fixed in selinux-policy-2.2.34-3.fc5
Comment 4 Toby Ovod-Everett 2006-04-27 11:39:44 EDT
selinux-policy 2.2.34-3.fc5 downloaded to my machine this morning and the 
problem definitely appears to be resolved.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.