Bug 219818 - selinux+samba
selinux+samba
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-15 11:41 EST by Peter (Zebar) Astakhov
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-18 13:31:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter (Zebar) Astakhov 2006-12-15 11:41:50 EST
Description of problem
access denied for samba due to selinux


Version-Release number of selected component (if applicable):
 rpm -qa | grep selinux
selinux-policy-2.4.6-7.fc6
libselinux-python-1.33.2-3.fc6
selinux-policy-targeted-2.4.6-7.fc6
libselinux-1.33.2-3.fc6

samba config:
[global]
        dos charset = CP866
        unix charset = LOCALE
        workgroup = NFCZN
        netbios name = FEDORA
        server string = Samba Server
        security = SHARE
        log file = /var/log/samba/%m.log
        max log size = 50
        time server = Yes
        dns proxy = No
        hosts allow = 10.17.185., 127.
        cups options = raw

[backup]
        comment = Каталог для резервных копий
        path = /var/shares/backup
        force user = zebar
        read only = No
        guest ok = Yes

What's happened:
access denied to share

Workaround:
in /etc/sysconfig/selinux I wrote
SELINUX=permissive
and reboot

Now a lot of messages in the syslog:
Dec 15 19:34:13 mail kernel: audit(1166200453.620:12): avc:  denied  { read } 
for  pid=2225 comm="smbd" name="backup" dev=hda6 ino=1080290 
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir

Dec 15 19:34:13 mail kernel: audit(1166200453.623:13): avc:  denied  { write } 
for  pid=2225 comm="smbd" name="backup" dev=hda6 ino=1080290 
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir

Dec 15 19:34:13 mail kernel: audit(1166200453.623:14): avc:  denied  { 
add_name } for  pid=2225 comm="smbd" 
name=D09DD0BED0B2D0B0D18F20D0BFD0B0D0BFD0BAD0B0 
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir

Dec 15 19:34:13 mail kernel: audit(1166200453.623:15): avc:  denied  { create } 
for  pid=2225 comm="smbd" name=D09DD0BED0B2D0B0D18F20D0BFD0B0D0BFD0BAD0B0 
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir
Comment 1 Daniel Walsh 2006-12-18 13:31:50 EST
chcon -R -t samba_share_t /var/backup

man samba_selinux

If you were using setroubleshoot it would have told you something like the
following.

Summary
    SELinux is preventing samba (smbd) "read" to backup (var_t).

Detailed Description
    SELinux denied samba access to backup. If you want to share this directory
    with samba it has to have a file context label of samba_share_t. If you did
    not intend to use backup as a samba repository it could indicate either a
    bug or it could signal a intrusion attempt.

Allowing Access
    You can alter the file context by executing chcon -R -t samba_share_t backup

    The following command will allow this access:
    chcon -R -t samba_share_t backup

Additional Information        

Source Context                root:system_r:smbd_t
Target Context                root:object_r:var_t
Target Objects                backup [ dir ]
Affected RPM Packages         
Policy RPM                    
Selinux Enabled               
Policy Type                   
MLS Enabled                   
Enforcing Mode                
Plugin Name                   plugins.samba_share
Host Name                     
Platform                      
Alert Count                   1
Line Numbers                  1

Raw Audit Messages            

avc: denied { read } for comm="smbd" dev=hda6 name="backup" pid=2225
scontext=root:system_r:smbd_t:s0 tclass=dir tcontext=root:object_r:var_t:s0

Note You need to log in before you can comment on or make changes to this bug.