Bug 192557 – smbd causes avc denied messages multiple times a second

Bug 192557 - smbd causes avc denied messages multiple times a second

Summary:	smbd causes avc denied messages multiple times a second

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	samba (Show other bugs)
Sub Component:
Version:	5
Hardware:	x86_64 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Simo Sorce
QA Contact:	David Lawrence
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2006-05-20 12:30 EDT by Carsten Clasohm
Modified:	2007-11-30 17:11 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-11-23 14:52:13 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:

Attachments	(Terms of Use)
smb.conf (10.53 KB, text/plain) 2006-05-23 16:27 EDT, Carsten Clasohm	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Carsten Clasohm 2006-05-20 12:30:39 EDT

Description of problem:

When a share is mounted, smbd tries to access certain files multiple times per
second, but is blocked by selinux. smbd works anyway, but the log messages and
the constant disk access are irritating.

Version-Release number of selected component (if applicable):
samba-3.0.22-1.fc5
selinux-policy-targeted-2.2.38-1.fc5

How reproducible:
always

Steps to Reproduce:
1. Export a directory with Samba.
2. Mount the directory from a Samba client. The messages only start when a share
is mounted.
3. Watch /var/log/messages.
  
Actual results:

audit(1148142750.613:7645): avc:  denied  { search } for pid=26972 comm="smbd"
name="fs" dev=proc ino=4026531867 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
audit(1148142750.613:7646): avc:  denied  { search } for pid=26972 comm="smbd"
name="nfs" dev=dm-5 ino=491657 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir

When you load a custom policy module allowing these two searches, you get the
next bunch:

audit(1148142280.781:7302): avc:  denied  { getattr } for  pid=26972 comm="smbd"
name="/" dev=binfmt_misc ino=6479 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir
audit(1148142280.781:7303): avc:  denied  { getattr } for  pid=26972 comm="smbd"
name="/" dev=rpc_pipefs ino=7351 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:rpc_pipefs_t:s0 tclass=dir

Expected results:
No AVC denied messages should be generated during normal operations.

Additional info:

The custom samba.te I'm now using looks like this:

module samba 1.0;

require {
	class dir { getattr search }; 

	type binfmt_misc_fs_t; 
	type rpc_pipefs_t; 
	type smbd_t; 
	type sysctl_fs_t; 
	type var_lib_nfs_t; 
};

allow smbd_t binfmt_misc_fs_t:dir getattr;
allow smbd_t rpc_pipefs_t:dir getattr;
allow smbd_t sysctl_fs_t:dir search;
allow smbd_t var_lib_nfs_t:dir search;

Comment 1 Daniel Walsh 2006-05-23 15:55:34 EDT

Why is samba looking in these directories?  When it is denied, why does it keep
trying?  Should this be dontaudited, fixed in samba or apply the above fix?

Comment 2 Jay Fenlason 2006-05-23 16:18:39 EDT

What does your smb.conf look like?

Comment 3 Carsten Clasohm 2006-05-23 16:27:51 EDT

Created attachment 129889 [details]
smb.conf

The default smb.conf, plus a share created with system-config-samba.

Comment 4 Simo Sorce 2007-11-23 14:52:13 EST

This is not a samba bug, it was probably an SELinux bug but I believe it has
been long fixed now.

Note You need to log in before you can comment on or make changes to this bug.