306071 – FC7 SELinux is preventing /usr/sbin/nmbd (nmbd_t) "rename" to log.nmbd (samba_log_t)

Bug 306071 - FC7 SELinux is preventing /usr/sbin/nmbd (nmbd_t) "rename" to log.nmbd (samba_log_t)

Summary: FC7 SELinux is preventing /usr/sbin/nmbd (nmbd_t) "rename" to log.nmbd (samba...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	7
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-25 20:28 UTC by Avygdor Moise
Modified:	2008-01-30 19:19 UTC (History)
CC List:	1 user (show)
Fixed In Version:	Current
Clone Of:
Environment:
Last Closed:	2008-01-30 19:19:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Avygdor Moise 2007-09-25 20:28:47 UTC

Description of problem:

This seems to be a reintroduction of an old fixed bug from FC6 (245693).

SELinux is preventing /usr/sbin/nmbd (nmbd_t) "rename" to log.nmbd (samba_log_t).

In addition the log rotation fails in /var/log/samba by strange log files like
-rw-r--r-- 1 root root  695880 2007-09-25 14:21 log.nmbd
-rw-r--r-- 1 root root       0 2007-09-24 04:12 log.nmbd.1
-rw-r--r-- 1 root root 1350222 2007-09-24 04:12 log.nmbd.1.1
-rw-r--r-- 1 root root       0 2007-09-23 04:12 log.nmbd.1.1.1
-rw-r--r-- 1 root root 5181678 2007-09-23 04:12 log.nmbd.1.1.1.1
-rw-r--r-- 1 root root  256858 2007-09-17 19:36 log.nmbd.1.1.2
-rw-r--r-- 1 root root       0 2007-09-23 04:12 log.nmbd.1.2
-rw-r--r-- 1 root root       0 2007-09-17 19:36 log.nmbd.1.3
-rw-r--r-- 1 root root       0 2007-09-18 04:12 log.nmbd.2
-rw-r--r-- 1 root root       0 2007-09-17 19:36 log.nmbd.2.1
-rw-r--r-- 1 root root       0 2007-09-23 04:12 log.nmbd.3
-rw-r--r-- 1 root root       0 2007-09-23 04:12 log.nmbd.3.1
-rw-r--r-- 1 root root  496191 2007-08-19 04:12 log.nmbd.4




Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.6.4-42.fc7
selinux-policy-2.6.4-42.fc7
libselinux-devel-2.0.14-4.fc7
samba-client-3.0.26a-0.fc7
samba-3.0.26a-0.fc7
system-config-samba-1.2.52-1.fc7
samba-common-3.0.26a-0.fc7

How reproducible:

Very reproducible. The [avc: denied { rename } for comm="nmbd"...] messages
appear periodically and at least once daily.

Steps to Reproduce:
1. Install all of the components in the FC7 OS on i686 or AMD64 (installed as
i686 architecture).
2. Apply all updates effective September 24, 2007.
3. Setup SAMBA as follows:
        # setsebool -P samba_domain_controller on
        # setsebool -P samba_enable_home_dirs on
4. Enable Services: smbd, nmd
5. Add Passwords: See man pdbedit
        # pdbedit -a -u auser


Actual results:
Samba works fine, but it is prevented from rotating logs by selinux policy.

Expected results:
No more [avc: denied { rename } for comm="nmbd"...] messages.

Additional info:

Below is the output from SELinux Troubleshooter

------------ Start of report from SELinux Troubleshooter ---------
Summary
    SELinux is preventing /usr/sbin/nmbd (nmbd_t) "rename" to log.nmbd
    (samba_log_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/nmbd. It is not expected that
    this access is required by /usr/sbin/nmbd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for log.nmbd, restorecon -v log.nmbd
    If this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:nmbd_t
Target Context                root:object_r:samba_log_t
Target Objects                log.nmbd [ file ]
Affected RPM Packages         samba-3.0.26a-0.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-42.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     kirk
Platform                      Linux kirk 2.6.22.4-65.fc7 #1 SMP Tue Aug 21
                              22:36:56 EDT 2007 i686 athlon
Alert Count                   366
First Seen                    Tue 18 Sep 2007 02:33:26 PM MDT
Last Seen                     Tue 25 Sep 2007 02:10:51 PM MDT
Local ID                      4551ce98-d7d2-4592-b6ce-5597c61e8469
Line Numbers                  

Raw Audit Messages            

avc: denied { rename } for comm="nmbd" dev=sda6 egid=0 euid=0
exe="/usr/sbin/nmbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="log.nmbd"
pid=2599 scontext=system_u:system_r:nmbd_t:s0 sgid=0
subj=system_u:system_r:nmbd_t:s0 suid=0 tclass=file
tcontext=root:object_r:samba_log_t:s0 tty=(none) uid=0


------------ End of report from SELinux Troubleshooter ---------

Comment 1 Daniel Walsh 2007-09-25 21:19:45 UTC

Looks like selinux-policy-2.6.4-44.fc7 has these rules.

Comment 2 Daryl Hochhalter 2007-09-28 15:39:52 UTC

I have a very similar denial whenever I try to add a share, either NFS or SAMBA

Also, just ran YUM and policy 4.42 is all that was available for updates.

SELinux is preventing /usr/sbin/nmbd (nmbd_t) "read" to inotify (inotifyfs_t).

Additional InformationSource Context:  system_u:system_r:nmbd_tTarget 

Context:  system_u:object_r:inotifyfs_tTarget Objects:  inotify [ dir ]Affected
RPM Packages:  samba-3.0.25c-0.fc7 [application]Policy
RPM:  selinux-policy-2.6.4-40.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchall_fileHost 

Platform:  Linux NS1.mapjoin.net 2.6.22.4-65.fc7 #1 SMP Tue Aug 21 22:36:56 EDT
2007 i686 athlonAlert Count:  2First Seen:  Wed 26 Sep 2007 11:44:07 AM CDTLast
Seen:  Fri 28 Sep 2007 09:32:40 AM CDTLocal 

ID:  9bf0185f-dfa3-4332-b846-f389726d180aLine Numbers:  Raw Audit Messages :avc:
denied { read } for comm="nmbd" dev=inotifyfs egid=0 euid=0 exe="/usr/sbin/nmbd"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="inotify" path="inotify" pid=3404
scontext=system_u:system_r:nmbd_t:s0 sgid=0 subj=system_u:system_r:nmbd_t:s0 suid=0 
tclass=dir tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=0 

I have since updated selinux packages:
Installed Packages
selinux-doc.noarch                       1.26-1.1               installed       
selinux-policy.noarch                    2.6.4-42.fc7           installed       
selinux-policy-targeted.noarch           2.6.4-42.fc7           installed

Comment 3 Daniel Walsh 2008-01-30 19:19:31 UTC

Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.