Bug 253672 - smbclient causes AVC denied messages
smbclient causes AVC denied messages
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-21 01:17 EDT by Ken Reilly
Modified: 2008-01-30 14:05 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:05:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
setroubleshooter output (11.78 KB, text/plain)
2007-08-21 01:17 EDT, Pete Graner
no flags Details

  None (edit)
Description Pete Graner 2007-08-21 01:17:01 EDT
Description of problem: smbclient throws avc messages when run from the command
line or via /etc/auto.smb auto mount map.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.6.4-33.fc7

How reproducible: Every time

I've attached the setroubleshooter output, note one access generates 5 avs, they
are all cat'ed into the attachment in the order they were generated.
Comment 1 Pete Graner 2007-08-21 01:17:01 EDT
Created attachment 161947 [details]
setroubleshooter output
Comment 2 Simo Sorce 2007-08-21 22:33:57 EDT
I guess there should be a transition rule to go from automount_t to bin_t ?
What I don't get is why auto.smb should run smbclient, I'd expect mount.smbfs or
mount.cifs ...
Comment 3 Daniel Walsh 2007-08-22 08:55:34 EDT
It does,  But first it runs smbclient to find all the shares exported from the
remote machine,  Then it mounts them all.  At least that is what the automount
guys have explained.

No transition necessary, I just needed to allow automount to read the
samba_var_t and samba_etc_t files.

smbclient does not currently have a domain.  bin_t is for domains executables
that will be run without a transition.

Fixed in selinux-policy-2.6.4-40
Comment 4 Dan O'Brien 2007-09-15 15:15:49 EDT
Straight autofs mount of CIFS type filesystems causes AVC messages:

Sep 15 14:02:55 yorky kernel: audit(1189879375.793:9): avc:  denied  { read }
for  pid=16802 comm="mount.cifs" name="hosts" dev=dm-0 ino=3604493
scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file

/etc/auto.master contains:
 /misc   /etc/auto.misc --timeout=60

/etc/auto.misc contains:
 k  -fstype=cifs,rw,dom=Enterprise,user=me,pass=myPwd ://nmrfs2/common

Mount does work.
Comment 5 Dan O'Brien 2007-09-15 15:16:47 EDT
Oops. Am running latested policy:

/home/dmobrien: rpm -q selinux-policy
selinux-policy-2.6.4-40.fc7
Comment 6 Daniel Walsh 2007-09-18 09:07:52 EDT
This looks like you have a badly labeled hosts file.  Something created a hosts
file in /tmp and then mv'd it to /etc.  I would guess

restorecon -V /etc/hosts

Comment 7 Dan O'Brien 2007-09-18 09:18:33 EDT
Yes, that is very likely.  I run the Juniper SSL VPN client code to access my
work machine, and I believe it does muck about with the /etc/hosts file.

/home/dmobrien: sudo  restorecon -V /etc/hosts
restorecon: invalid option -- V
usage:  restorecon [-iFnrRv] [-e excludedir ] [-o filename ] [-f filename |
pathname... ]
Comment 8 Dan O'Brien 2007-09-18 09:21:26 EDT
FYI:

/home/dmobrien: ls -lZ /etc/hosts   
-rw-r--r--  root root user_u:object_r:etc_t            /etc/hosts
Comment 9 Daniel Walsh 2007-09-18 10:53:26 EDT
Sorry about that restorecon -v .

Anyways there was a hosts file that was not labeled etc_t that was causing the
problem.
Comment 10 Red Hat Bugzilla 2007-10-23 11:25:19 EDT
User pgraner@redhat.com's account has been closed
Comment 11 Daniel Walsh 2008-01-30 14:05:43 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.