Bug 205600 - avc: denied { rename } for pid=5838 comm="smbd" name="heliopsis.log" dev=dm-2 ino=95461 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=file
Summary: avc: denied { rename } for pid=5838 comm="smbd" name="heliopsis.log" dev=d...
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-09-07 15:19 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-09-18 18:29:36 UTC


Attachments (Terms of Use)

Description Orion Poplawski 2006-09-07 15:19:38 UTC
Description of problem:

Got this in the logs:

Sep  6 12:34:42 saga kernel: audit(1157567682.363:129): avc:  denied  { rename }
for  pid=5024 comm="smbd" name="heliopsis.log" dev=dm-2 ino=95641
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_log_t:s0
tclass=file
Sep  6 12:34:42 saga kernel: audit(1157567682.363:130): avc:  denied  { unlink }
for  pid=5024 comm="smbd" name="heliopsis.log.old" dev=dm-2 ino=95636
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_log_t:s0
tclass=file
Sep  6 12:41:51 saga kernel: audit(1157568111.382:131): avc:  denied  { rename }
for  pid=5838 comm="smbd" name="heliopsis.log" dev=dm-2 ino=95461
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_log_t:s0
tclass=file
Sep  6 12:41:51 saga kernel: audit(1157568111.382:132): avc:  denied  { unlink }
for  pid=5838 comm="smbd" name="heliopsis.log.old" dev=dm-2 ino=95424
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_log_t:s0
tclass=file

Running in permissive mode.
Version-Release number of selected component (if applicable):
selinux-policy-2.3.7-2.fc5

Comment 1 Daniel Walsh 2006-09-18 18:29:36 UTC
Policy for samba says the following

allow smbd_t samba_log_t:dir { create ra_dir_perms setattr };
dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t samba_log_t:file { create ra_file_perms };

I believe the remove_name dontaudit would have prevented the AVC messages that
you see.  So I would say this is the expected behaviour.




Note You need to log in before you can comment on or make changes to this bug.