Bug 473795 – selinux warning when trying to share a directory with samba that is already shared with nfs

Bug 473795 - selinux warning when trying to share a directory with samba that is already shared with nfs

Summary:	selinux warning when trying to share a directory with samba that is already s...

Status:	CLOSED UPSTREAM

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	10
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Fabian Affolter
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	479644
	Show dependency tree / graph

Reported:	2008-11-30 12:10 EST by Bernd Bartmann
Modified:	2009-09-21 16:19 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-12-03 14:34:38 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Bernd Bartmann 2008-11-30 12:10:12 EST

Description of problem:
I'm getting a message (see below)when trying to share a directory with samba that is already shared with nfs

This message is completely misleading as NFS is already working, but samba is not.



Summary:

SELinux hindert den NFS-Daemon daran, dass entfernte Clients lokale Dateien
lesen.

Detailed Description:

SELinux hinderte den NFS-Daemon (nfsd) am Lesen im lokalen System. Falls Sie
keine Dateisysteme exportiert haben, könnte dies einen Einbruchsversuch
signalisieren.

Allowing Access:

Falls Sie Dateisysteme via NFS exportieren möchten, müssen Sie den
samba_export_all_ro Boolesch aktivieren: "setsebool -P samba_export_all_ro=1".

Fix Command:

setsebool -P samba_export_all_ro=1

Additional Information:

Source Context                unconfined_u:system_r:smbd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                / [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          beverly.ncc1701d
Source RPM Packages           samba-3.2.4-0.22.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   samba_export_all_ro
Host Name                     beverly.ncc1701d
Platform                      Linux beverly.ncc1701d 2.6.27.5-117.fc10.x86_64 #1
                              SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64
Alert Count                   837
First Seen                    Sat Nov 29 22:46:26 2008
Last Seen                     Sat Nov 29 23:26:28 2008
Local ID                      c32cd63b-bff7-4040-a38d-1726e0462f8a
Line Numbers                  

Raw Audit Messages            

node=beverly.ncc1701d type=AVC msg=audit(1227997588.413:1300): avc:  denied  { read } for  pid=19806 comm="smbd" name="/" dev=md1 ino=2 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

node=beverly.ncc1701d type=SYSCALL msg=audit(1227997588.413:1300): arch=c000003e syscall=2 success=no exit=-13 a0=7f22b41182d0 a1=90800 a2=7f22b41b0f40 a3=2f13a70 items=0 ppid=19741 pid=19806 auid=500 uid=0 gid=0 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=47 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-18.fc10.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-12-01 17:14:24 EST

This looks like a translation problem.

Comment 2 Bernd Bartmann 2008-12-02 16:41:58 EST

I tried an "unset LANG" but even after this the "sealert -l" output comes with German messages. Is there any way to see the messages in English to verify that this is really a translation issue?

Comment 3 Daniel Walsh 2008-12-03 09:23:40 EST

LANG=C sealert ...

Should do it.

Comment 4 Bernd Bartmann 2008-12-03 09:34:12 EST

Nope, even with LANG=C in front of the sealert command I get the summary text in German.

Comment 5 Daniel Walsh 2008-12-03 09:44:28 EST

Ok read the source.

/usr/share/setroubleshoot/plugins/samba_export_all_ro.py

Comment 6 Bernd Bartmann 2008-12-03 09:51:34 EST

Thanks. The english text in the source looks good to me. Now, where is the translated text and how to get it fix, i.e. should we assign this to another component or person?

Comment 7 Fabian Affolter 2008-12-03 14:34:38 EST

Thanks for reporting this.  The German translation was wrong.

Fixed with commit
https://fedorahosted.org/setroubleshoot/browser/plugins/po/de.po?rev=1247%3A6e3fd70feea4

If the error still occurs in the next release of SETroubleShoot, please reopen this bug report.

Note You need to log in before you can comment on or make changes to this bug.