First Last Prev Next    This bug is not in your last search results.
Bug 429893 - Policy interferes with CIFS automounting
Policy interferes with CIFS automounting
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Josef Kubin
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-23 12:21 EST by Adam Huffman
Modified: 2008-02-18 10:03 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-18 10:03:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Huffman 2008-01-23 12:21:11 EST 
Description of problem:
I have created an auto.cifs file to allow CIFS automounting with credentials. 
This has caused some AVC alerts.

Version-Release number of selected component (if applicable):
selinux-policy-3.2.5-15.fc9

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Here is the sealert message:

Summary:

SELinux is preventing smbclient(/usr/bin/smbclient) (automount_t) "create" to
<Unknown>
(samba_var_t).

Detailed Description:

SELinux denied access requested by smbclient(/usr/bin/smbclient). It is not
expected that this access is required by smbclient(/usr/bin/smbclient) and this
access may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require additional
access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for <Unknown>,

restorecon -v <Unknown>

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:automount_t:s0
Target Context                unconfined_u:object_r:samba_var_t:s0
Target Objects                None [ file ]
Source                        smbclient(/usr/bin/smbclient)
Port                          <Unknown>
Host                          shuttle.config
Source RPM Packages 
Target RPM Packages 
Policy RPM                    selinux-policy-3.2.5-15.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     shuttle.config
Platform                      Linux shuttle.config 2.6.24-0.164.rc8.git4.fc9 #1
                              SMP Mon Jan 21 20:48:16 EST 2008 i686 athlon
Alert Count                   6
First Seen                    Wed Jan 23 17:00:05 2008
Last Seen                     Wed Jan 23 17:00:05 2008
Local ID                      e1c4c55d-54da-459e-b996-cd61afc7a5ce
Line Numbers

Raw Audit Messages  

host=shuttle.config type=AVC msg=audit(1201107605.256:131): avc:  denied  {
create } for  pid=5854 comm="smbclient" name="gencache.tdb"
scontext=unconfined_u:system_r:automount_t:s0
tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file

host=shuttle.config type=SYSCALL msg=audit(1201107605.256:131): arch=40000003
syscall=5 success=no exit=-13 a0=b83bcf70 a1=8042 a2=1a4 a3=8042 items=0
ppid=5853 pid=5854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="smbclient" exe="/usr/bin/smbclient"
subj=unconfined_u:system_r:automount_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-02-18 10:03:31 EST 
Fixed in selinux-policy-3.2.8-1.fc9
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.