Bug 236463 - SELinux strange Samba home dir denial
Summary: SELinux strange Samba home dir denial
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-14 15:14 UTC by Anthony Messina
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-22 14:13:48 UTC


Attachments (Terms of Use)

Description Anthony Messina 2007-04-14 15:14:06 UTC
Description of problem:
SELinux logs a denial when Samba tries to access a user's home dir, even though
samba_enable_home_dirs --> on.  It only seems to be bothered by the
.xsession-errors file.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-54.fc6
samba-3.0.24-4.fc6

How reproducible:
Each time

Steps to Reproduce:
1. Access a user's home dir via Samba (a user who alos uses this home dir for X
sessions)
2.
3.
  
Actual results:
avc: denied { getattr } for comm="smbd" dev=md0 egid=503 euid=503
exe="/usr/sbin/smbd" exit=0 fsgid=503 fsuid=503 gid=0 items=0
name=".xsession-errors" path="/home/mmessina/.xsession-errors" pid=9989
scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0 suid=0
tclass=file tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=503

Expected results:
I'm not sure about this error. It didn't seem to happen before.

Additional info:

Comment 1 Daniel Walsh 2007-04-16 14:10:43 UTC
You need to enable the samba_enable_home_dirs boolean.
setsebool -P samba_enable_home_dirs=1



Comment 2 Anthony Messina 2007-04-16 16:39:59 UTC
that's just the trouble, i *do* have samba home dirs enabled.  

Comment 3 Daniel Walsh 2007-04-16 17:15:23 UTC
Ok this is a labeling problem.  For some reason .xsession-errors is labeled
incorrectly.  

restorecon -v /home/mmessina/.xsession-errors

Should fix the context.  Not sure how it got the wrong context on this file?

Should be user_home_t not user_home_dir_t.

Comment 4 Anthony Messina 2007-04-21 16:29:50 UTC
ok, i relabeled the .xsession-errors file.  in doing so, i found other .* (dot
files) that had the same issue.  logged out, logged back in and the files were
re-created with the user_home_dir_t type.

using selinux-policy-2.4.6-54.fc6

oh, and when i logged in/out, i did that on a linux only machine -- samba was
not involved with this user account.

Comment 5 Daniel Walsh 2007-04-23 14:44:01 UTC
When logged in please run id -Z at the command line?  Are you running in
permissive mode?

Comment 6 Anthony Messina 2007-04-23 16:31:23 UTC
id -Z gives:
user_u:system_r:unconfined_t

i don't think i detailed in the original report that this is over nfs4.  the
server is in permissive mode.  the client is in enforcing mode.

the above id -Z is on the client machine.

Comment 7 Daniel Walsh 2007-05-17 17:11:31 UTC
Fixed in selinux-policy-2.4.6-71.fc6

Comment 8 Daniel Walsh 2007-08-22 14:13:48 UTC
Fixed in current release


Note You need to log in before you can comment on or make changes to this bug.