Bug 443334 - setsebool ok & smb denied
Summary: setsebool ok & smb denied
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-04-20 20:28 UTC by Laurent Jacquot
Modified: 2008-11-17 22:03 UTC (History)
0 users

Clone Of:
Last Closed: 2008-11-17 22:03:33 UTC

Attachments (Terms of Use)

Description Laurent Jacquot 2008-04-20 20:28:34 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv: Gecko/20080325 Fedora/ Firefox/

Description of problem:
 SMB is denied read access to user_iceauth_home_t
context even if I have:

[root@jack ~]# getsebool -a |grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_nfs --> off
use_samba_home_dirs --> on

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.share your $home via samba
2.try to access it from another machine 
3.Setroubleshoot pops up with the following:


SELinux is preventing the samba daemon from reading users' home directories.

Description détaillée:

SELinux has denied the samba daemon access to users' home directories. Someone
is attempting to access your home directories via your samba daemon. If you only
setup samba to share non-home directories, this probably signals a intrusion
attempt. For more information on SELinux integration with samba, look at the
samba_selinux man page. (man samba_selinux)

Autoriser l'accès:

Si vous souhaitez que samba partage des répertoires personnels vous devez
activer le booléen samba_enable_home_dirs : "setsebool -P

La commande suivante autorisera cet accès :

setsebool -P samba_enable_home_dirs=1

Informations complémentaires:

Contexte source               system_u:system_r:smbd_t:s0
Contexte cible                system_u:object_r:user_iceauth_home_t:s0
Objets du contexte            /home/alex/.ICEauthority [ file ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Inconnu>
Host                          jack.lutty.net
Source RPM Packages           samba-3.0.28a-0.fc8
Target RPM Packages           
Politique RPM                 selinux-policy-3.0.8-95.fc8
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 samba_enable_home_dirs
Nom de l'hôte                jack.lutty.net
Plateforme                    Linux jack.lutty.net #1 SMP Sat
                              Mar 29 09:54:46 EDT 2008 i686 i686
Compteur d'alertes            30
First Seen                    ven 04 avr 2008 23:16:29 CEST
Last Seen                     lun 14 avr 2008 20:51:06 CEST
Local ID                      d2ee22f9-866b-4305-94c8-a029aee20c19
Numéros des lignes           

Messages d'audit bruts        

host=jack.lutty.net type=AVC msg=audit(1208199066.837:2675): avc:  denied  { getattr } for  pid=10432 comm="smbd" path="/home/alex/.ICEauthority" dev=dm-11 ino=850503 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_iceauth_home_t:s0 tclass=file

host=jack.lutty.net type=SYSCALL msg=audit(1208199066.837:2675): arch=40000003 syscall=195 success=no exit=-13 a0=bfc33194 a1=bfc32914 a2=4c5ff4 a3=bfc32914 items=0 ppid=3346 pid=10432 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

Actual Results:

Expected Results:

Additional info:
what would be the right thing to do, dontaudit, allow or deny?

Comment 1 Daniel Walsh 2008-04-21 17:21:16 UTC
Fixed in selinux-policy-3.0.8-101.fc8

Comment 2 Daniel Walsh 2008-11-17 22:03:33 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.