Bug 2212518 - SELinux is preventing smbd from 'create' accesses on the directory cores.
Summary: SELinux is preventing smbd from 'create' accesses on the directory cores.
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:26ad8d827a36eb1ca3fe522764a...
: 2212520 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-05 19:05 UTC by Hilário Fochi Silveira
Modified: 2023-08-04 16:05 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-04 16:05:03 UTC
Type: ---
Embargoed:
hilario: needinfo-

Attachments (Terms of Use)
File: os_info (699 bytes, text/plain)
2023-06-05 19:05 UTC, Hilário Fochi Silveira 		no flags Details
File: description (2.34 KB, text/plain)
2023-06-05 19:05 UTC, Hilário Fochi Silveira 		no flags Details
View All

Description Hilário Fochi Silveira 2023-06-05 19:05:39 UTC 
Description of problem:
These problems are generated after booting the computer.

semanage fcontext -a -t samba_share_t 'cores'
restorecon  -v 'cores'
restorecon: lstat(/home/default/cores) failed: No such file or directory
SELinux is preventing smbd from 'create' accesses on the diretório cores.

*****  Plugin samba_share (85.5 confidence) suggests   ***********************

Se você quer permitir que smbd tenha acesso create no cores directory
Then você precisa mudar o rótulo em 'cores'
Do
# semanage fcontext -a -t samba_share_t 'cores'
# restorecon  -v 'cores'

*****  Plugin catchall_boolean (13.8 confidence) suggests   ******************

Se você quiser allow samba to export all rw
Then você deve informar o SELinux sobre isso habilitando o booleano 'samba_export_all_rw'.

Do
setsebool -P samba_export_all_rw 1

*****  Plugin catchall (2.16 confidence) suggests   **************************

Se você acredita nisso smbd deve ser permitido create acesso no cores directory por padrão.
Then você deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso por agora executando:
# ausearch -c 'smbd' --raw | audit2allow -M my-smbd
# semodule -X 300 -i my-smbd.pp

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                cores [ dir ]
Source                        smbd
Source Path                   smbd
Port                          <Desconhecido>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.15-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.15-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.3.4-201.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sat May 27 15:08:36 UTC 2023
                              x86_64
Alert Count                   20
First Seen                    2023-05-21 22:53:01 -03
Last Seen                     2023-06-05 15:44:23 -03
Local ID                      2db60cca-f075-4982-b38d-4951baa419e9

Raw Audit Messages
type=AVC msg=audit(1685990663.97:378): avc:  denied  { create } for  pid=32962 comm="smbd" name="cores" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0


Hash: smbd,smbd_t,var_log_t,dir,create

Version-Release number of selected component:
selinux-policy-targeted-38.15-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
reason:         SELinux is preventing smbd from 'create' accesses on the directory cores.
type:           libreport
kernel:         6.3.4-201.fc38.x86_64
component:      selinux-policy
package:        selinux-policy-targeted-38.15-1.fc38.noarch
hashmarkername: setroubleshoot
component:      selinux-policy
Comment 1 Hilário Fochi Silveira 2023-06-05 19:05:41 UTC 
Created attachment 1969138 [details]
File: os_info
Comment 2 Hilário Fochi Silveira 2023-06-05 19:05:43 UTC 
Created attachment 1969139 [details]
File: description
Comment 3 Zdenek Pytela 2023-06-06 07:03:29 UTC 
Hello,

Is this a result of some configuration change?
Comment 4 Zdenek Pytela 2023-06-06 07:05:23 UTC 
Data from the duplicate:
Raw Audit Messages
type=AVC msg=audit(1685990667.113:389): avc:  denied  { create } for  pid=33021 comm="smbd-notifyd" name="samba.smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Comment 5 Zdenek Pytela 2023-06-06 07:05:42 UTC 
*** Bug 2212520 has been marked as a duplicate of this bug. ***
Comment 6 Hilário Fochi Silveira 2023-06-14 14:16:17 UTC 
(In reply to Zdenek Pytela from comment #3)
> Hello,
> 
> Is this a result of some configuration change?

Before seeing this, I applied your solution for this first bug regarding Samba: https://bugzilla.redhat.com/show_bug.cgi?id=2182643
Comment 7 Zdenek Pytela 2023-06-14 19:24:09 UTC 
(In reply to Hilário Fochi Silveira from comment #6)
> Before seeing this, I applied your solution for this first bug regarding
> Samba: https://bugzilla.redhat.com/show_bug.cgi?id=2182643

All right, that one addresses one problem. However, in your AVCs, there are "samba.smbd" or "cores" files/dirs which are not present on a common installation, so I wonder if it was some custom configuration change. Unfortunately, path for these files are not logged.
Comment 8 Zdenek Pytela 2023-08-04 16:05:03 UTC 
As no new information appeared during the past weeks, we are going to close this bug. If you need to pursue this matter further, feel free to reopen this bug and attach the needed information.
Note You need to log in before you can comment on or make changes to this bug.