Bug 253672 - smbclient causes AVC denied messages
Summary: smbclient causes AVC denied messages
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 7
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-21 05:17 UTC by Ken Reilly
Modified: 2008-01-30 19:05 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 19:05:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
setroubleshooter output (11.78 KB, text/plain)
2007-08-21 05:17 UTC, Pete Graner
no flags Details

Description Pete Graner 2007-08-21 05:17:01 UTC
Description of problem: smbclient throws avc messages when run from the command
line or via /etc/auto.smb auto mount map.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.6.4-33.fc7

How reproducible: Every time

I've attached the setroubleshooter output, note one access generates 5 avs, they
are all cat'ed into the attachment in the order they were generated.

Comment 1 Pete Graner 2007-08-21 05:17:01 UTC
Created attachment 161947 [details]
setroubleshooter output

Comment 2 Simo Sorce 2007-08-22 02:33:57 UTC
I guess there should be a transition rule to go from automount_t to bin_t ?
What I don't get is why auto.smb should run smbclient, I'd expect mount.smbfs or
mount.cifs ...

Comment 3 Daniel Walsh 2007-08-22 12:55:34 UTC
It does,  But first it runs smbclient to find all the shares exported from the
remote machine,  Then it mounts them all.  At least that is what the automount
guys have explained.

No transition necessary, I just needed to allow automount to read the
samba_var_t and samba_etc_t files.

smbclient does not currently have a domain.  bin_t is for domains executables
that will be run without a transition.

Fixed in selinux-policy-2.6.4-40

Comment 4 Dan O'Brien 2007-09-15 19:15:49 UTC
Straight autofs mount of CIFS type filesystems causes AVC messages:

Sep 15 14:02:55 yorky kernel: audit(1189879375.793:9): avc:  denied  { read }
for  pid=16802 comm="mount.cifs" name="hosts" dev=dm-0 ino=3604493
scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file

/etc/auto.master contains:
 /misc   /etc/auto.misc --timeout=60

/etc/auto.misc contains:
 k  -fstype=cifs,rw,dom=Enterprise,user=me,pass=myPwd ://nmrfs2/common

Mount does work.

Comment 5 Dan O'Brien 2007-09-15 19:16:47 UTC
Oops. Am running latested policy:

/home/dmobrien: rpm -q selinux-policy
selinux-policy-2.6.4-40.fc7


Comment 6 Daniel Walsh 2007-09-18 13:07:52 UTC
This looks like you have a badly labeled hosts file.  Something created a hosts
file in /tmp and then mv'd it to /etc.  I would guess

restorecon -V /etc/hosts



Comment 7 Dan O'Brien 2007-09-18 13:18:33 UTC
Yes, that is very likely.  I run the Juniper SSL VPN client code to access my
work machine, and I believe it does muck about with the /etc/hosts file.

/home/dmobrien: sudo  restorecon -V /etc/hosts
restorecon: invalid option -- V
usage:  restorecon [-iFnrRv] [-e excludedir ] [-o filename ] [-f filename |
pathname... ]


Comment 8 Dan O'Brien 2007-09-18 13:21:26 UTC
FYI:

/home/dmobrien: ls -lZ /etc/hosts   
-rw-r--r--  root root user_u:object_r:etc_t            /etc/hosts


Comment 9 Daniel Walsh 2007-09-18 14:53:26 UTC
Sorry about that restorecon -v .

Anyways there was a hosts file that was not labeled etc_t that was causing the
problem.

Comment 10 Red Hat Bugzilla 2007-10-23 15:25:19 UTC
User pgraner@redhat.com's account has been closed

Comment 11 Daniel Walsh 2008-01-30 19:05:43 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.


Note You need to log in before you can comment on or make changes to this bug.