Description of problem: When a share is mounted, smbd tries to access certain files multiple times per second, but is blocked by selinux. smbd works anyway, but the log messages and the constant disk access are irritating. Version-Release number of selected component (if applicable): samba-3.0.22-1.fc5 selinux-policy-targeted-2.2.38-1.fc5 How reproducible: always Steps to Reproduce: 1. Export a directory with Samba. 2. Mount the directory from a Samba client. The messages only start when a share is mounted. 3. Watch /var/log/messages. Actual results: audit(1148142750.613:7645): avc: denied { search } for pid=26972 comm="smbd" name="fs" dev=proc ino=4026531867 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir audit(1148142750.613:7646): avc: denied { search } for pid=26972 comm="smbd" name="nfs" dev=dm-5 ino=491657 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir When you load a custom policy module allowing these two searches, you get the next bunch: audit(1148142280.781:7302): avc: denied { getattr } for pid=26972 comm="smbd" name="/" dev=binfmt_misc ino=6479 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir audit(1148142280.781:7303): avc: denied { getattr } for pid=26972 comm="smbd" name="/" dev=rpc_pipefs ino=7351 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:rpc_pipefs_t:s0 tclass=dir Expected results: No AVC denied messages should be generated during normal operations. Additional info: The custom samba.te I'm now using looks like this: module samba 1.0; require { class dir { getattr search }; type binfmt_misc_fs_t; type rpc_pipefs_t; type smbd_t; type sysctl_fs_t; type var_lib_nfs_t; }; allow smbd_t binfmt_misc_fs_t:dir getattr; allow smbd_t rpc_pipefs_t:dir getattr; allow smbd_t sysctl_fs_t:dir search; allow smbd_t var_lib_nfs_t:dir search;
Why is samba looking in these directories? When it is denied, why does it keep trying? Should this be dontaudited, fixed in samba or apply the above fix?
What does your smb.conf look like?
Created attachment 129889 [details] smb.conf The default smb.conf, plus a share created with system-config-samba.
This is not a samba bug, it was probably an SELinux bug but I believe it has been long fixed now.