Description of problem:

Samba is constantly trying to access /var/lib/mysql, which is a separate local file system. The directory is not shared by samba. The access attempts are blocked by SELinux and lots of messages are written to /var/log/audit/audit.log and the log file is constantly rotated. If setrobleshootd is running, the system is overloaded by these messages, reaching a load of about 9 and eventually getting out of memory.

The analysis of the SELinux messages by the sealert command is:
Summary:

SELinux is preventing smbd (smbd_t) "getattr" to /var/lib/mysql (mysqld_db_t).

Detailed Description:

SELinux denied access requested by smbd. It is not expected that this access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:smbd_t
Target Context                system_u:object_r:mysqld_db_t
Target Objects                /var/lib/mysql [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          maritsa
Source RPM Packages           samba-3.0.33-3.7.el5_3.1
Target RPM Packages           mysql-server-5.0.77-3.el5
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     maritsa
Platform                      Linux maritsa 2.6.18-164.el5xen #1 SMP Thu Sep 3
                              04:03:03 EDT 2009 x86_64 x86_64
Alert Count                   393228
First Seen                    Tue Jun  9 20:20:12 2009
Last Seen                     Sat Sep 26 13:11:20 2009
Local ID                      1f83f8c9-72d0-4137-8f02-172e82212f5b
Line Numbers                  

Raw Audit Messages            

host=maritsa type=AVC msg=audit(1253959880.296:17657445): avc:  denied  { getattr } for  pid=18869 comm="smbd" path="/var/lib/mysql" dev=dm-8 ino=2 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir

host=maritsa type=SYSCALL msg=audit(1253959880.296:17657445): arch=c000003e syscall=4 success=no exit=-13 a0=2ab180f88993 a1=7fff89e37730 a2=7fff89e37730 a3=0 items=0 ppid=18861 pid=18869 auid=0 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=205 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null) 

Version-Release number of selected component (if applicable):
samba-3.0.33-3.7.el5_3.1
selinux-policy-targeted-2.4.6-203.el5

How reproducible:


Steps to Reproduce:
1. Install and run samba server, do not share /var/lib/mysql
2. Make /var/lib/mysql a separate file system
3.
  
Actual results:
Lots of SELinux access denial messages. System overloaded .

Expected results:
No SELinux 'deny' messages. Samba should not try to access /var/lib/mysql without an apparent reason, or SELinux should allow "getattr" access to samba for all mountpoints.

Additional info:
I think this is very much related to bug 519002. I would speculate that for some reason samba is doing stat() on all mountpoints and this is blocked when some of them have special SELinux context.