Bug 219818 - selinux+samba
Summary: selinux+samba
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-12-15 16:41 UTC by Peter (Zebar) Astakhov
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-12-18 18:31:50 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Peter (Zebar) Astakhov 2006-12-15 16:41:50 UTC 
Description of problem
access denied for samba due to selinux


Version-Release number of selected component (if applicable):
 rpm -qa | grep selinux
selinux-policy-2.4.6-7.fc6
libselinux-python-1.33.2-3.fc6
selinux-policy-targeted-2.4.6-7.fc6
libselinux-1.33.2-3.fc6

samba config:
[global]
        dos charset = CP866
        unix charset = LOCALE
        workgroup = NFCZN
        netbios name = FEDORA
        server string = Samba Server
        security = SHARE
        log file = /var/log/samba/%m.log
        max log size = 50
        time server = Yes
        dns proxy = No
        hosts allow = 10.17.185., 127.
        cups options = raw

[backup]
        comment = Каталог для резервных копий
        path = /var/shares/backup
        force user = zebar
        read only = No
        guest ok = Yes

What's happened:
access denied to share

Workaround:
in /etc/sysconfig/selinux I wrote
SELINUX=permissive
and reboot

Now a lot of messages in the syslog:
Dec 15 19:34:13 mail kernel: audit(1166200453.620:12): avc:  denied  { read } 
for  pid=2225 comm="smbd" name="backup" dev=hda6 ino=1080290 
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir

Dec 15 19:34:13 mail kernel: audit(1166200453.623:13): avc:  denied  { write } 
for  pid=2225 comm="smbd" name="backup" dev=hda6 ino=1080290 
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir

Dec 15 19:34:13 mail kernel: audit(1166200453.623:14): avc:  denied  { 
add_name } for  pid=2225 comm="smbd" 
name=D09DD0BED0B2D0B0D18F20D0BFD0B0D0BFD0BAD0B0 
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir

Dec 15 19:34:13 mail kernel: audit(1166200453.623:15): avc:  denied  { create } 
for  pid=2225 comm="smbd" name=D09DD0BED0B2D0B0D18F20D0BFD0B0D0BFD0BAD0B0 
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir
Comment 1 Daniel Walsh 2006-12-18 18:31:50 UTC 
chcon -R -t samba_share_t /var/backup

man samba_selinux

If you were using setroubleshoot it would have told you something like the
following.

Summary
    SELinux is preventing samba (smbd) "read" to backup (var_t).

Detailed Description
    SELinux denied samba access to backup. If you want to share this directory
    with samba it has to have a file context label of samba_share_t. If you did
    not intend to use backup as a samba repository it could indicate either a
    bug or it could signal a intrusion attempt.

Allowing Access
    You can alter the file context by executing chcon -R -t samba_share_t backup

    The following command will allow this access:
    chcon -R -t samba_share_t backup

Additional Information        

Source Context                root:system_r:smbd_t
Target Context                root:object_r:var_t
Target Objects                backup [ dir ]
Affected RPM Packages         
Policy RPM                    
Selinux Enabled               
Policy Type                   
MLS Enabled                   
Enforcing Mode                
Plugin Name                   plugins.samba_share
Host Name                     
Platform                      
Alert Count                   1
Line Numbers                  1

Raw Audit Messages            

avc: denied { read } for comm="smbd" dev=hda6 name="backup" pid=2225
scontext=root:system_r:smbd_t:s0 tclass=dir tcontext=root:object_r:var_t:s0
Note You need to log in before you can comment on or make changes to this bug.