Description of problem: SELinux logs a denial when Samba tries to access a user's home dir, even though samba_enable_home_dirs --> on. It only seems to be bothered by the .xsession-errors file. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-54.fc6 samba-3.0.24-4.fc6 How reproducible: Each time Steps to Reproduce: 1. Access a user's home dir via Samba (a user who alos uses this home dir for X sessions) 2. 3. Actual results: avc: denied { getattr } for comm="smbd" dev=md0 egid=503 euid=503 exe="/usr/sbin/smbd" exit=0 fsgid=503 fsuid=503 gid=0 items=0 name=".xsession-errors" path="/home/mmessina/.xsession-errors" pid=9989 scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0 suid=0 tclass=file tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=503 Expected results: I'm not sure about this error. It didn't seem to happen before. Additional info:
You need to enable the samba_enable_home_dirs boolean. setsebool -P samba_enable_home_dirs=1
that's just the trouble, i *do* have samba home dirs enabled.
Ok this is a labeling problem. For some reason .xsession-errors is labeled incorrectly. restorecon -v /home/mmessina/.xsession-errors Should fix the context. Not sure how it got the wrong context on this file? Should be user_home_t not user_home_dir_t.
ok, i relabeled the .xsession-errors file. in doing so, i found other .* (dot files) that had the same issue. logged out, logged back in and the files were re-created with the user_home_dir_t type. using selinux-policy-2.4.6-54.fc6 oh, and when i logged in/out, i did that on a linux only machine -- samba was not involved with this user account.
When logged in please run id -Z at the command line? Are you running in permissive mode?
id -Z gives: user_u:system_r:unconfined_t i don't think i detailed in the original report that this is over nfs4. the server is in permissive mode. the client is in enforcing mode. the above id -Z is on the client machine.
Fixed in selinux-policy-2.4.6-71.fc6
Fixed in current release