Bug 484146 - setsebool -P samba_enable_home_dirs=1 is not completely effective.
Summary: setsebool -P samba_enable_home_dirs=1 is not completely effective.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-04 23:34 UTC by Richard Chapman
Modified: 2012-10-15 13:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-02 07:59:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:1242 0 normal SHIPPED_LIVE selinux-policy bug fix update 2009-09-01 08:32:34 UTC

Description Richard Chapman 2009-02-04 23:34:23 UTC 
Description of problem:

After setting:

setsebool -P samba_enable_home_dirs=1
we still see the following avc:

Summary
SELinux is preventing the samba daemon from reading users' home directories.
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]

SELinux has denied the samba daemon access to users' home directories. Someone is attempting to access your home directories via your samba daemon. If you only setup samba to share non-home directories, this probably signals a intrusion attempt. For more information on SELinux integration with samba, look at the samba_selinux man page. (man samba_selinux)
Allowing Access
If you want samba to share home directories you need to turn on the samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"

The following command will allow this access:

setsebool -P samba_enable_home_dirs=1

Additional Information
Source Context:  	system_u:system_r:smbd_t
Target Context:  	system_u:object_r:spamassassin_home_t
Target Objects:  	/home/tim/.spamassassin/bayes_journal [ file ]
Source:  	smbd
Source Path:  	/usr/sbin/smbd
Port:  	<Unknown>
Host:  	C5.aardvark.com.au
Source RPM Packages:  	samba-3.0.28-1.el5_2.1
Target RPM Packages:  	
Policy RPM:  	selinux-policy-2.4.6-203.el5
Selinux Enabled:  	True
Policy Type:  	targeted
MLS Enabled:  	True
Enforcing Mode:  	Permissive
Plugin Name:  	samba_enable_home_dirs
Host Name:  	C5.aardvark.com.au
Platform:  	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count:  	4
First Seen:  	Tue Jan 13 22:59:19 2009
Last Seen:  	Tue Feb 3 10:01:08 2009
Local ID:  	e70a0be2-0490-493e-bcf0-53d540b3b0dc
Line Numbers:  	

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1233622868.178:23965): avc: denied { getattr } for pid=18897 comm="smbd" path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26150202 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1233622868.178:23965): avc: denied { getattr } for pid=18897 comm="smbd" path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26150202 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1233622868.178:23965): arch=c000003e syscall=4 success=yes exit=0 a0=7fff9a2e90c0 a1=7fff9a2e87f0 a2=7fff9a2e87f0 a3=7fff9a2e8cc0 items=0 ppid=3534 pid=18897 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1233622868.178:23965): arch=c000003e syscall=4 success=yes exit=0 a0=7fff9a2e90c0 a1=7fff9a2e87f0 a2=7fff9a2e87f0 a3=7fff9a2e8cc0 items=0 ppid=3534 pid=18897 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)


Version-Release number of selected component (if applicable):

Relevant versions listed above in AVC.

How reproducible:

The problem appears to be related to ~/.spamassassin directories - so I would expect any system with active spamassassin to display the problem when samba is set to allow access to home directories.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2009-02-06 16:25:54 UTC 
Fixed in selinux-policy-2.4.6-208
Comment 10 Daniel Walsh 2009-04-16 18:00:10 UTC 
Milos you said that the sesearch command is showing the access but when the tools run it is not allowed.

Can I gain access to this test machine?
Comment 11 Richard Chapman 2009-04-25 03:39:59 UTC 
This appears to have been fixed - at least for my system with:
selinux-policy-*-2.4.6-225.el5.noarch.rpm
The problem persisted until I installed this version of policy - but I haven't seen it since.
Comment 12 Daniel Walsh 2009-04-27 13:52:39 UTC 
Fixed in selinux-policy-*-2.4.6-225.el5.noarch.rpm
Comment 15 errata-xmlrpc 2009-09-02 07:59:34 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html
Note You need to log in before you can comment on or make changes to this bug.