Bug 473795 - selinux warning when trying to share a directory with samba that is already shared with nfs
Summary: selinux warning when trying to share a directory with samba that is already s...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fabian Affolter
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 479644
TreeView+ depends on / blocked
 
Reported: 2008-11-30 17:10 UTC by Bernd Bartmann
Modified: 2009-09-21 20:19 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-12-03 19:34:38 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Bernd Bartmann 2008-11-30 17:10:12 UTC
Description of problem:
I'm getting a message (see below)when trying to share a directory with samba that is already shared with nfs

This message is completely misleading as NFS is already working, but samba is not.



Summary:

SELinux hindert den NFS-Daemon daran, dass entfernte Clients lokale Dateien
lesen.

Detailed Description:

SELinux hinderte den NFS-Daemon (nfsd) am Lesen im lokalen System. Falls Sie
keine Dateisysteme exportiert haben, könnte dies einen Einbruchsversuch
signalisieren.

Allowing Access:

Falls Sie Dateisysteme via NFS exportieren möchten, müssen Sie den
samba_export_all_ro Boolesch aktivieren: "setsebool -P samba_export_all_ro=1".

Fix Command:

setsebool -P samba_export_all_ro=1

Additional Information:

Source Context                unconfined_u:system_r:smbd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                / [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          beverly.ncc1701d
Source RPM Packages           samba-3.2.4-0.22.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   samba_export_all_ro
Host Name                     beverly.ncc1701d
Platform                      Linux beverly.ncc1701d 2.6.27.5-117.fc10.x86_64 #1
                              SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64
Alert Count                   837
First Seen                    Sat Nov 29 22:46:26 2008
Last Seen                     Sat Nov 29 23:26:28 2008
Local ID                      c32cd63b-bff7-4040-a38d-1726e0462f8a
Line Numbers                  

Raw Audit Messages            

node=beverly.ncc1701d type=AVC msg=audit(1227997588.413:1300): avc:  denied  { read } for  pid=19806 comm="smbd" name="/" dev=md1 ino=2 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

node=beverly.ncc1701d type=SYSCALL msg=audit(1227997588.413:1300): arch=c000003e syscall=2 success=no exit=-13 a0=7f22b41182d0 a1=90800 a2=7f22b41b0f40 a3=2f13a70 items=0 ppid=19741 pid=19806 auid=500 uid=0 gid=0 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=47 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-18.fc10.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-12-01 22:14:24 UTC
This looks like a translation problem.

Comment 2 Bernd Bartmann 2008-12-02 21:41:58 UTC
I tried an "unset LANG" but even after this the "sealert -l" output comes with German messages. Is there any way to see the messages in English to verify that this is really a translation issue?

Comment 3 Daniel Walsh 2008-12-03 14:23:40 UTC
LANG=C sealert ...

Should do it.

Comment 4 Bernd Bartmann 2008-12-03 14:34:12 UTC
Nope, even with LANG=C in front of the sealert command I get the summary text in German.

Comment 5 Daniel Walsh 2008-12-03 14:44:28 UTC
Ok read the source.

/usr/share/setroubleshoot/plugins/samba_export_all_ro.py

Comment 6 Bernd Bartmann 2008-12-03 14:51:34 UTC
Thanks. The english text in the source looks good to me. Now, where is the translated text and how to get it fix, i.e. should we assign this to another component or person?

Comment 7 Fabian Affolter 2008-12-03 19:34:38 UTC
Thanks for reporting this.  The German translation was wrong.

Fixed with commit
https://fedorahosted.org/setroubleshoot/browser/plugins/po/de.po?rev=1247%3A6e3fd70feea4

If the error still occurs in the next release of SETroubleShoot, please reopen this bug report.


Note You need to log in before you can comment on or make changes to this bug.