Bug 508775 - setroubleshoot gives incomplete output
setroubleshoot gives incomplete output
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2009-06-29 15:48 EDT by Orcan Ogetbil
Modified: 2009-11-18 08:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-11-18 08:10:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
the conversation at #selinux (2.81 KB, text/plain)
2009-06-29 15:48 EDT, Orcan Ogetbil
no flags Details
selinux_alert (2.82 KB, text/plain)
2009-06-29 17:14 EDT, Orcan Ogetbil
no flags Details

  None (edit)
Description Orcan Ogetbil 2009-06-29 15:48:13 EDT
Created attachment 349860 [details]
the conversation at #selinux

Folks at #selinux at IRC told me to file this bug here. 

Basically, setroubleshoot told me to issue a command 
   chcon -R -t samba_share_t '/home/melanie/Media'
when I tried to reach this box from a remote location. But issuing the command didn't help. It turned out that the /home/melanie/Media is a symlink and the target location needs to be relabeled too. But setroubleshoot doesn't indicate this.

I'm attaching the discussion.
Comment 1 Eric Paris 2009-06-29 15:51:18 EDT
Only other tidbit of any interest was the second denial message...

type=AVC msg=audit(1246303193.31:94341): avc: denied { search } for pid=31067 comm="smbd" name="Media" dev=sda7 ino=153419777 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

type=SYSCALL msg=audit(1246303193.31:94341): arch=c000003e syscall=4 success=yes exit=0 a0=7fdb031f5d20 a1=7fff0aa702c0 a2=7fff0aa702c0 a3=61006300690073 items=0 ppid=27569 pid=31067 auid=500 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=99 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
Comment 2 Daniel Walsh 2009-06-29 16:38:11 EDT
The problem here is that we get the first denial which is all setroubleshoot can figure out, so I would suspect that it told you the correct thing, but there was a secondary issue, that after it followed the symbolic link, it was also blocked on actually reading /pub/samba

So the final solution is probably to label /pub and its subdirs as samba_share_t

# semanage fcontext -a -t samba_share_t '/pub(/.*)?'
# restorecon -R -v /pub

You might want to update to the latest setroubleshoot also.
Comment 3 Orcan Ogetbil 2009-06-29 16:51:38 EDT
Yes, relabeling /pub helps.

But both before and after issuing the command
   chcon -R -t samba_share_t '/home/melanie/Media'
setroubleshoot gave me the same message. It doesn't tell me anything about /pub. It just tells me to run
   chcon -R -t samba_share_t '/home/melanie/Media'
no matter how many times I run it.

I guess the symlinks need to be handled differently (? I'm a selinux-ignorant ?)
Comment 4 Daniel Walsh 2009-06-29 17:06:12 EDT
Please attach the setroubleshoot message
Comment 5 Orcan Ogetbil 2009-06-29 17:14:51 EDT
Created attachment 349878 [details]

here ya go
Comment 6 Daniel Walsh 2009-07-01 13:27:19 EDT
Well the setroubleshoot was exactly correct.  /home/melanie/Media was a directory and labeled default_t,  So if you changed the label. it would work.
Comment 7 Orcan Ogetbil 2009-07-01 13:31:59 EDT
No, as I said, /home/melanie/Media is not a directory. It is a symlink that points to /pub/Media.

Daniel, the bug is valid and reproducable.
Comment 8 Daniel Walsh 2009-07-01 17:08:20 EDT
You are right I am wrong, sorry.  The tool is searching for the inode reported by the kernel and found the link but read the file the link pointed to, found a match and reported the link as the problem.  Sadly all the kernel gives us is a name and an inode.

I will fix in setroubleshoot-2.1.14-2.fc11

Note You need to log in before you can comment on or make changes to this bug.