Description of problem: After setting: setsebool -P samba_enable_home_dirs=1 we still see the following avc: Summary SELinux is preventing the samba daemon from reading users' home directories. Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied the samba daemon access to users' home directories. Someone is attempting to access your home directories via your samba daemon. If you only setup samba to share non-home directories, this probably signals a intrusion attempt. For more information on SELinux integration with samba, look at the samba_selinux man page. (man samba_selinux) Allowing Access If you want samba to share home directories you need to turn on the samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1" The following command will allow this access: setsebool -P samba_enable_home_dirs=1 Additional Information Source Context: system_u:system_r:smbd_t Target Context: system_u:object_r:spamassassin_home_t Target Objects: /home/tim/.spamassassin/bayes_journal [ file ] Source: smbd Source Path: /usr/sbin/smbd Port: <Unknown> Host: C5.aardvark.com.au Source RPM Packages: samba-3.0.28-1.el5_2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-203.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: samba_enable_home_dirs Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count: 4 First Seen: Tue Jan 13 22:59:19 2009 Last Seen: Tue Feb 3 10:01:08 2009 Local ID: e70a0be2-0490-493e-bcf0-53d540b3b0dc Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1233622868.178:23965): avc: denied { getattr } for pid=18897 comm="smbd" path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26150202 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file host=C5.aardvark.com.au type=AVC msg=audit(1233622868.178:23965): avc: denied { getattr } for pid=18897 comm="smbd" path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26150202 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file host=C5.aardvark.com.au type=SYSCALL msg=audit(1233622868.178:23965): arch=c000003e syscall=4 success=yes exit=0 a0=7fff9a2e90c0 a1=7fff9a2e87f0 a2=7fff9a2e87f0 a3=7fff9a2e8cc0 items=0 ppid=3534 pid=18897 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1233622868.178:23965): arch=c000003e syscall=4 success=yes exit=0 a0=7fff9a2e90c0 a1=7fff9a2e87f0 a2=7fff9a2e87f0 a3=7fff9a2e8cc0 items=0 ppid=3534 pid=18897 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) Version-Release number of selected component (if applicable): Relevant versions listed above in AVC. How reproducible: The problem appears to be related to ~/.spamassassin directories - so I would expect any system with active spamassassin to display the problem when samba is set to allow access to home directories. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Fixed in selinux-policy-2.4.6-208
Milos you said that the sesearch command is showing the access but when the tools run it is not allowed. Can I gain access to this test machine?
This appears to have been fixed - at least for my system with: selinux-policy-*-2.4.6-225.el5.noarch.rpm The problem persisted until I installed this version of policy - but I haven't seen it since.
Fixed in selinux-policy-*-2.4.6-225.el5.noarch.rpm
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html