Bug 236463 - SELinux strange Samba home dir denial
SELinux strange Samba home dir denial
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-14 11:14 EDT by Anthony Messina
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:13:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2007-04-14 11:14:06 EDT
Description of problem:
SELinux logs a denial when Samba tries to access a user's home dir, even though
samba_enable_home_dirs --> on.  It only seems to be bothered by the
.xsession-errors file.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-54.fc6
samba-3.0.24-4.fc6

How reproducible:
Each time

Steps to Reproduce:
1. Access a user's home dir via Samba (a user who alos uses this home dir for X
sessions)
2.
3.
  
Actual results:
avc: denied { getattr } for comm="smbd" dev=md0 egid=503 euid=503
exe="/usr/sbin/smbd" exit=0 fsgid=503 fsuid=503 gid=0 items=0
name=".xsession-errors" path="/home/mmessina/.xsession-errors" pid=9989
scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0 suid=0
tclass=file tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=503

Expected results:
I'm not sure about this error. It didn't seem to happen before.

Additional info:
Comment 1 Daniel Walsh 2007-04-16 10:10:43 EDT
You need to enable the samba_enable_home_dirs boolean.
setsebool -P samba_enable_home_dirs=1

Comment 2 Anthony Messina 2007-04-16 12:39:59 EDT
that's just the trouble, i *do* have samba home dirs enabled.  
Comment 3 Daniel Walsh 2007-04-16 13:15:23 EDT
Ok this is a labeling problem.  For some reason .xsession-errors is labeled
incorrectly.  

restorecon -v /home/mmessina/.xsession-errors

Should fix the context.  Not sure how it got the wrong context on this file?

Should be user_home_t not user_home_dir_t.
Comment 4 Anthony Messina 2007-04-21 12:29:50 EDT
ok, i relabeled the .xsession-errors file.  in doing so, i found other .* (dot
files) that had the same issue.  logged out, logged back in and the files were
re-created with the user_home_dir_t type.

using selinux-policy-2.4.6-54.fc6

oh, and when i logged in/out, i did that on a linux only machine -- samba was
not involved with this user account.
Comment 5 Daniel Walsh 2007-04-23 10:44:01 EDT
When logged in please run id -Z at the command line?  Are you running in
permissive mode?
Comment 6 Anthony Messina 2007-04-23 12:31:23 EDT
id -Z gives:
user_u:system_r:unconfined_t

i don't think i detailed in the original report that this is over nfs4.  the
server is in permissive mode.  the client is in enforcing mode.

the above id -Z is on the client machine.
Comment 7 Daniel Walsh 2007-05-17 13:11:31 EDT
Fixed in selinux-policy-2.4.6-71.fc6
Comment 8 Daniel Walsh 2007-08-22 10:13:48 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.