Description of problem: I have home directories shared out via Samba and everything works except that the creation and removal of directories is blocked by selinux Version-Release number of selected component (if applicable): system-config-samba-1.2.34-1 samba-client-3.0.22-1.fc5 samba-3.0.22-1.fc5 samba-common-3.0.22-1.fc5 selinux-policy-targeted-2.2.25-3.fc5 libselinux-1.30-1.fc5 libselinux-python-1.30-1.fc5 selinux-policy-2.2.25-3.fc5 libselinux-1.30-1.fc5 How reproducible: Happens everytime I try to md or rd from my Windows XP SP2 box via Samba. There are entries in the /var/log/messages indicating that the attempt was denied by selinux. Steps to Reproduce: 1. Install FC5 ia64 including Samba 2. Configure Samba as follows: * Modify the following lines in /etc/samba/smb.conf: workgroup = OVOD-EVERETT * Append the following line after the exists hosts allow line: hosts allow = 192.168.0. 127. * Append the following line to the â[homes]â section: hide files = /Thumbs.db*/desktop.ini/ * Run system-config-securitylevel: * On the SELinux tab: * Open âModify SELinux Policyâ * Under Samba, check âAllow Samba to share users home directoriesâ * Go to System->Administration->Server Settings->Services * Go to Edit Runlevel->Runlevel All * Check âsmbâ in all three columns * Click âSaveâ * Reboot (or start smb service) 3. Mount a user's home directory from Win XP SP2 box 4. Attempt to create or remove a directory 5. Observe the following in the /var/log/messages file: Apr 8 08:01:57 vin kernel: audit(1144512117.816:21): avc: denied { create } for pid=2511 comm="smbd" name="foo" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir Apr 8 08:15:37 vin kernel: audit(1144512937.506:22): avc: denied { rmdir } for pid=2511 comm="smbd" name="foo" dev=sda1 ino=7678492 scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir 6. Note that directory creation and removal works fine when logged in via sshd. 7. Note that file creation and removal works fine via Samba. Actual results: Cannot create or remove directories via Samba. Expected results: Can create or remove directories via Samba. Additional info: I'm not sure whether this gets addressed via the samba team or the selinux team. I guessed samba because it is my understanding that the selinux policy is now modular, but if I'm wrong please reassign as appropriate.
I see this too (on i386): selinux-policy-targeted-2.2.29-3.fc5 selinux-policy-2.2.29-3.fc5 samba-common-3.0.22-1.fc5 samba-3.0.22-1.fc5 audit(1145962448.002:180): avc: denied { getattr } for pid=25069 comm="smbd" name=".Xauthority" dev=hda5 ino=10846572 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file audit(1145962468.107:181): avc: denied { create } for pid=25069 comm="smbd" name=4E657720466F6C646572 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir audit(1145962468.111:182): avc: denied { create } for pid=25069 comm="smbd" name=4E657720466F6C646572 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir audit(1145962468.111:183): avc: denied { create } for pid=25069 comm="smbd" name=4E657720466F6C64657220283229 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir audit(1145962468.115:184): avc: denied { create } for pid=25069 comm="smbd" name=4E657720466F6C64657220283229 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir
Note: the arch for this bug needs changing from ia64 to ALL.
Fixed in selinux-policy-2.2.34-3.fc5
selinux-policy 2.2.34-3.fc5 downloaded to my machine this morning and the problem definitely appears to be resolved. Thanks!