Bug 525859 - samba trying to access /var/lib/mysql on a separate file system and blocked by SELinux
samba trying to access /var/lib/mysql on a separate file system and blocked b...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
x86_64 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-09-26 07:20 EDT by Preslav
Modified: 2011-01-13 16:48 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When a Samba server, smbd, attempted to access the content of the /var/lib/mysql/ directory, SELinux denied this access, and reported this event in the audit log. However, this access is not necessary for Samba to work properly. With this update, appropriate SELinux rules have been added to address this issue, and such access denial is no longer logged.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:48:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Preslav 2009-09-26 07:20:24 EDT
Description of problem:

Samba is constantly trying to access /var/lib/mysql, which is a separate local file system. The directory is not shared by samba. The access attempts are blocked by SELinux and lots of messages are written to /var/log/audit/audit.log and the log file is constantly rotated. If setrobleshootd is running, the system is overloaded by these messages, reaching a load of about 9 and eventually getting out of memory.

The analysis of the SELinux messages by the sealert command is:
Summary:

SELinux is preventing smbd (smbd_t) "getattr" to /var/lib/mysql (mysqld_db_t).

Detailed Description:

SELinux denied access requested by smbd. It is not expected that this access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:smbd_t
Target Context                system_u:object_r:mysqld_db_t
Target Objects                /var/lib/mysql [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          maritsa
Source RPM Packages           samba-3.0.33-3.7.el5_3.1
Target RPM Packages           mysql-server-5.0.77-3.el5
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     maritsa
Platform                      Linux maritsa 2.6.18-164.el5xen #1 SMP Thu Sep 3
                              04:03:03 EDT 2009 x86_64 x86_64
Alert Count                   393228
First Seen                    Tue Jun  9 20:20:12 2009
Last Seen                     Sat Sep 26 13:11:20 2009
Local ID                      1f83f8c9-72d0-4137-8f02-172e82212f5b
Line Numbers                  

Raw Audit Messages            

host=maritsa type=AVC msg=audit(1253959880.296:17657445): avc:  denied  { getattr } for  pid=18869 comm="smbd" path="/var/lib/mysql" dev=dm-8 ino=2 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir

host=maritsa type=SYSCALL msg=audit(1253959880.296:17657445): arch=c000003e syscall=4 success=no exit=-13 a0=2ab180f88993 a1=7fff89e37730 a2=7fff89e37730 a3=0 items=0 ppid=18861 pid=18869 auid=0 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=205 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null) 

Version-Release number of selected component (if applicable):
samba-3.0.33-3.7.el5_3.1
selinux-policy-targeted-2.4.6-203.el5

How reproducible:


Steps to Reproduce:
1. Install and run samba server, do not share /var/lib/mysql
2. Make /var/lib/mysql a separate file system
3.
  
Actual results:
Lots of SELinux access denial messages. System overloaded .

Expected results:
No SELinux 'deny' messages. Samba should not try to access /var/lib/mysql without an apparent reason, or SELinux should allow "getattr" access to samba for all mountpoints.

Additional info:
I think this is very much related to bug 519002. I would speculate that for some reason samba is doing stat() on all mountpoints and this is blocked when some of them have special SELinux context.
Comment 2 Daniel Walsh 2010-05-27 15:36:42 EDT
Miroslav RHEL6 has

files_dontaudit_getattr_all_dirs(smbd_t)
Comment 4 Miroslav Grepl 2010-07-22 05:21:08 EDT
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 7 Jaromir Hradilek 2011-01-05 11:00:33 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When a Samba server, smbd, attempted to access the content of the /var/lib/mysql/ directory, SELinux denied this access, and reported this event in the audit log. However, this access is not necessary for Samba to work properly. With this update, appropriate SELinux rules have been added to address this issue, and such access denial is no longer logged.
Comment 9 errata-xmlrpc 2011-01-13 16:48:02 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.