Bug 192557 - smbd causes avc denied messages multiple times a second
smbd causes avc denied messages multiple times a second
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Simo Sorce
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2006-05-20 12:30 EDT by Carsten Clasohm
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-23 14:52:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
smb.conf (10.53 KB, text/plain)
2006-05-23 16:27 EDT, Carsten Clasohm
no flags Details

  None (edit)
Description Carsten Clasohm 2006-05-20 12:30:39 EDT
Description of problem:

When a share is mounted, smbd tries to access certain files multiple times per
second, but is blocked by selinux. smbd works anyway, but the log messages and
the constant disk access are irritating.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Export a directory with Samba.
2. Mount the directory from a Samba client. The messages only start when a share
is mounted.
3. Watch /var/log/messages.
Actual results:

audit(1148142750.613:7645): avc:  denied  { search } for pid=26972 comm="smbd"
name="fs" dev=proc ino=4026531867 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
audit(1148142750.613:7646): avc:  denied  { search } for pid=26972 comm="smbd"
name="nfs" dev=dm-5 ino=491657 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir

When you load a custom policy module allowing these two searches, you get the
next bunch:

audit(1148142280.781:7302): avc:  denied  { getattr } for  pid=26972 comm="smbd"
name="/" dev=binfmt_misc ino=6479 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir
audit(1148142280.781:7303): avc:  denied  { getattr } for  pid=26972 comm="smbd"
name="/" dev=rpc_pipefs ino=7351 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:rpc_pipefs_t:s0 tclass=dir

Expected results:
No AVC denied messages should be generated during normal operations.

Additional info:

The custom samba.te I'm now using looks like this:

module samba 1.0;

require {
	class dir { getattr search }; 

	type binfmt_misc_fs_t; 
	type rpc_pipefs_t; 
	type smbd_t; 
	type sysctl_fs_t; 
	type var_lib_nfs_t; 

allow smbd_t binfmt_misc_fs_t:dir getattr;
allow smbd_t rpc_pipefs_t:dir getattr;
allow smbd_t sysctl_fs_t:dir search;
allow smbd_t var_lib_nfs_t:dir search;
Comment 1 Daniel Walsh 2006-05-23 15:55:34 EDT
Why is samba looking in these directories?  When it is denied, why does it keep
trying?  Should this be dontaudited, fixed in samba or apply the above fix?
Comment 2 Jay Fenlason 2006-05-23 16:18:39 EDT
What does your smb.conf look like? 
Comment 3 Carsten Clasohm 2006-05-23 16:27:51 EDT
Created attachment 129889 [details]

The default smb.conf, plus a share created with system-config-samba.
Comment 4 Simo Sorce 2007-11-23 14:52:13 EST
This is not a samba bug, it was probably an SELinux bug but I believe it has
been long fixed now.

Note You need to log in before you can comment on or make changes to this bug.