Description of problem: when selinux is in enfore mode starting samba will get many acces denied messages Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.47-3.fc5 How reproducible: run service start smb Actual results: Samba starts with access denied messages Expected results: start without this messages Additional info: audit: Jul 17 09:39:19 kernel: audit(1153121959.170:75): avc: denied { setattr } for pid=3436 comm=smbd name="smbd" dev=md1 ino=4484854 scontext=user_u:system_r:smbd_t tcontext=system_u:object_r:samba_log_t tclass=dir Jul 17 09:39:19 kernel: audit(1153121959.170:75): avc: denied { setattr } for pid=3436 comm=smbd name="smbd" dev=md1 ino=4484854 scontext=user_u:system_r:smbd_t tcontext=system_u:object_r:samba_log_t tclass=dir Jul 17 09:39:19 kernel: audit(1153121959.254:76): avc: denied { search } for pid=3436 comm=smbd name="cups" dev=md1 ino=4255697 scontext=user_u:system_r:smbd_t tcontext=system_u:object_r:cupsd_var_run_t tclass=dir Jul 17 09:39:19 kernel: audit(1153121959.470:77): avc: denied { setattr } for pid=3439 comm=nmbd name="nmbd" dev=md1 ino=4484855 scontext=user_u:system_r:nmbd_t tcontext=system_u:object_r:samba_log_t tclass=dir Jul 17 09:39:19 kernel: audit(1153121959.470:78): avc: denied { setattr } for pid=3439 comm=nmbd name="nmbd" dev=md1 ino=4484855 scontext=user_u:system_r:nmbd_t tcontext=system_u:object_r:samba_log_t tclass=dir
The relevant statements in samba.te in serefpolicy 2.2.47 are allow nmbd_t samba_log_t:dir ra_dir_perms; allow nmbd_t samba_log_t:file { create ra_file_perms }; Changing the 'ra_dir_perms' to 'rw_dir_perms' doesn't fix the problem; this is what smbd_t is set to, and it's also being rejected by selinux. I suspect this is related to the new 'cores' subdirectory of /var/log/samba. The obvious fix here would be to change the statements allow smbd_t samba_log_t:dir rw_dir_perms; allow nmbd_t samba_log_t:dir ra_dir_perms; to allow smbd_t samba_log_t:dir create_dir_perms; allow nmbd_t samba_log_t:dir create_dir_perms;
Fixed in selinux-policy-2.3.6-3.fc5
Closing bugs