192557 – smbd causes avc denied messages multiple times a second

Bug 192557 - smbd causes avc denied messages multiple times a second

Summary: smbd causes avc denied messages multiple times a second

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	samba
Sub Component:
Version:	5
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Simo Sorce
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-05-20 16:30 UTC by Carsten Clasohm
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-11-23 19:52:13 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
smb.conf (10.53 KB, text/plain) 2006-05-23 20:27 UTC, Carsten Clasohm	no flags	Details
View All

Description Carsten Clasohm 2006-05-20 16:30:39 UTC

Description of problem:

When a share is mounted, smbd tries to access certain files multiple times per
second, but is blocked by selinux. smbd works anyway, but the log messages and
the constant disk access are irritating.

Version-Release number of selected component (if applicable):
samba-3.0.22-1.fc5
selinux-policy-targeted-2.2.38-1.fc5

How reproducible:
always

Steps to Reproduce:
1. Export a directory with Samba.
2. Mount the directory from a Samba client. The messages only start when a share
is mounted.
3. Watch /var/log/messages.
  
Actual results:

audit(1148142750.613:7645): avc:  denied  { search } for pid=26972 comm="smbd"
name="fs" dev=proc ino=4026531867 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
audit(1148142750.613:7646): avc:  denied  { search } for pid=26972 comm="smbd"
name="nfs" dev=dm-5 ino=491657 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir

When you load a custom policy module allowing these two searches, you get the
next bunch:

audit(1148142280.781:7302): avc:  denied  { getattr } for  pid=26972 comm="smbd"
name="/" dev=binfmt_misc ino=6479 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir
audit(1148142280.781:7303): avc:  denied  { getattr } for  pid=26972 comm="smbd"
name="/" dev=rpc_pipefs ino=7351 scontext=user_u:system_r:smbd_t:s0
tcontext=system_u:object_r:rpc_pipefs_t:s0 tclass=dir

Expected results:
No AVC denied messages should be generated during normal operations.

Additional info:

The custom samba.te I'm now using looks like this:

module samba 1.0;

require {
	class dir { getattr search }; 

	type binfmt_misc_fs_t; 
	type rpc_pipefs_t; 
	type smbd_t; 
	type sysctl_fs_t; 
	type var_lib_nfs_t; 
};

allow smbd_t binfmt_misc_fs_t:dir getattr;
allow smbd_t rpc_pipefs_t:dir getattr;
allow smbd_t sysctl_fs_t:dir search;
allow smbd_t var_lib_nfs_t:dir search;

Comment 1 Daniel Walsh 2006-05-23 19:55:34 UTC

Why is samba looking in these directories?  When it is denied, why does it keep
trying?  Should this be dontaudited, fixed in samba or apply the above fix?

Comment 2 Jay Fenlason 2006-05-23 20:18:39 UTC

What does your smb.conf look like?

Comment 3 Carsten Clasohm 2006-05-23 20:27:51 UTC

Created attachment 129889 [details]
smb.conf

The default smb.conf, plus a share created with system-config-samba.

Comment 4 Simo Sorce 2007-11-23 19:52:13 UTC

This is not a samba bug, it was probably an SELinux bug but I believe it has
been long fixed now.

Note You need to log in before you can comment on or make changes to this bug.