Description of problem: This seems to be a reintroduction of an old fixed bug from FC6 (245693). SELinux is preventing /usr/sbin/nmbd (nmbd_t) "rename" to log.nmbd (samba_log_t). In addition the log rotation fails in /var/log/samba by strange log files like -rw-r--r-- 1 root root 695880 2007-09-25 14:21 log.nmbd -rw-r--r-- 1 root root 0 2007-09-24 04:12 log.nmbd.1 -rw-r--r-- 1 root root 1350222 2007-09-24 04:12 log.nmbd.1.1 -rw-r--r-- 1 root root 0 2007-09-23 04:12 log.nmbd.1.1.1 -rw-r--r-- 1 root root 5181678 2007-09-23 04:12 log.nmbd.1.1.1.1 -rw-r--r-- 1 root root 256858 2007-09-17 19:36 log.nmbd.1.1.2 -rw-r--r-- 1 root root 0 2007-09-23 04:12 log.nmbd.1.2 -rw-r--r-- 1 root root 0 2007-09-17 19:36 log.nmbd.1.3 -rw-r--r-- 1 root root 0 2007-09-18 04:12 log.nmbd.2 -rw-r--r-- 1 root root 0 2007-09-17 19:36 log.nmbd.2.1 -rw-r--r-- 1 root root 0 2007-09-23 04:12 log.nmbd.3 -rw-r--r-- 1 root root 0 2007-09-23 04:12 log.nmbd.3.1 -rw-r--r-- 1 root root 496191 2007-08-19 04:12 log.nmbd.4 Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-42.fc7 selinux-policy-2.6.4-42.fc7 libselinux-devel-2.0.14-4.fc7 samba-client-3.0.26a-0.fc7 samba-3.0.26a-0.fc7 system-config-samba-1.2.52-1.fc7 samba-common-3.0.26a-0.fc7 How reproducible: Very reproducible. The [avc: denied { rename } for comm="nmbd"...] messages appear periodically and at least once daily. Steps to Reproduce: 1. Install all of the components in the FC7 OS on i686 or AMD64 (installed as i686 architecture). 2. Apply all updates effective September 24, 2007. 3. Setup SAMBA as follows: # setsebool -P samba_domain_controller on # setsebool -P samba_enable_home_dirs on 4. Enable Services: smbd, nmd 5. Add Passwords: See man pdbedit # pdbedit -a -u auser Actual results: Samba works fine, but it is prevented from rotating logs by selinux policy. Expected results: No more [avc: denied { rename } for comm="nmbd"...] messages. Additional info: Below is the output from SELinux Troubleshooter ------------ Start of report from SELinux Troubleshooter --------- Summary SELinux is preventing /usr/sbin/nmbd (nmbd_t) "rename" to log.nmbd (samba_log_t). Detailed Description SELinux denied access requested by /usr/sbin/nmbd. It is not expected that this access is required by /usr/sbin/nmbd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for log.nmbd, restorecon -v log.nmbd If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:nmbd_t Target Context root:object_r:samba_log_t Target Objects log.nmbd [ file ] Affected RPM Packages samba-3.0.26a-0.fc7 [application] Policy RPM selinux-policy-2.6.4-42.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name kirk Platform Linux kirk 2.6.22.4-65.fc7 #1 SMP Tue Aug 21 22:36:56 EDT 2007 i686 athlon Alert Count 366 First Seen Tue 18 Sep 2007 02:33:26 PM MDT Last Seen Tue 25 Sep 2007 02:10:51 PM MDT Local ID 4551ce98-d7d2-4592-b6ce-5597c61e8469 Line Numbers Raw Audit Messages avc: denied { rename } for comm="nmbd" dev=sda6 egid=0 euid=0 exe="/usr/sbin/nmbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="log.nmbd" pid=2599 scontext=system_u:system_r:nmbd_t:s0 sgid=0 subj=system_u:system_r:nmbd_t:s0 suid=0 tclass=file tcontext=root:object_r:samba_log_t:s0 tty=(none) uid=0 ------------ End of report from SELinux Troubleshooter ---------
Looks like selinux-policy-2.6.4-44.fc7 has these rules.
I have a very similar denial whenever I try to add a share, either NFS or SAMBA Also, just ran YUM and policy 4.42 is all that was available for updates. SELinux is preventing /usr/sbin/nmbd (nmbd_t) "read" to inotify (inotifyfs_t). Additional InformationSource Context: system_u:system_r:nmbd_tTarget Context: system_u:object_r:inotifyfs_tTarget Objects: inotify [ dir ]Affected RPM Packages: samba-3.0.25c-0.fc7 [application]Policy RPM: selinux-policy-2.6.4-40.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchall_fileHost Platform: Linux NS1.mapjoin.net 2.6.22.4-65.fc7 #1 SMP Tue Aug 21 22:36:56 EDT 2007 i686 athlonAlert Count: 2First Seen: Wed 26 Sep 2007 11:44:07 AM CDTLast Seen: Fri 28 Sep 2007 09:32:40 AM CDTLocal ID: 9bf0185f-dfa3-4332-b846-f389726d180aLine Numbers: Raw Audit Messages :avc: denied { read } for comm="nmbd" dev=inotifyfs egid=0 euid=0 exe="/usr/sbin/nmbd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="inotify" path="inotify" pid=3404 scontext=system_u:system_r:nmbd_t:s0 sgid=0 subj=system_u:system_r:nmbd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=0 I have since updated selinux packages: Installed Packages selinux-doc.noarch 1.26-1.1 installed selinux-policy.noarch 2.6.4-42.fc7 installed selinux-policy-targeted.noarch 2.6.4-42.fc7 installed
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.