Description of problem: Samba is constantly trying to access /var/lib/mysql, which is a separate local file system. The directory is not shared by samba. The access attempts are blocked by SELinux and lots of messages are written to /var/log/audit/audit.log and the log file is constantly rotated. If setrobleshootd is running, the system is overloaded by these messages, reaching a load of about 9 and eventually getting out of memory. The analysis of the SELinux messages by the sealert command is: Summary: SELinux is preventing smbd (smbd_t) "getattr" to /var/lib/mysql (mysqld_db_t). Detailed Description: SELinux denied access requested by smbd. It is not expected that this access is required by smbd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:smbd_t Target Context system_u:object_r:mysqld_db_t Target Objects /var/lib/mysql [ dir ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host maritsa Source RPM Packages samba-3.0.33-3.7.el5_3.1 Target RPM Packages mysql-server-5.0.77-3.el5 Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name maritsa Platform Linux maritsa 2.6.18-164.el5xen #1 SMP Thu Sep 3 04:03:03 EDT 2009 x86_64 x86_64 Alert Count 393228 First Seen Tue Jun 9 20:20:12 2009 Last Seen Sat Sep 26 13:11:20 2009 Local ID 1f83f8c9-72d0-4137-8f02-172e82212f5b Line Numbers Raw Audit Messages host=maritsa type=AVC msg=audit(1253959880.296:17657445): avc: denied { getattr } for pid=18869 comm="smbd" path="/var/lib/mysql" dev=dm-8 ino=2 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir host=maritsa type=SYSCALL msg=audit(1253959880.296:17657445): arch=c000003e syscall=4 success=no exit=-13 a0=2ab180f88993 a1=7fff89e37730 a2=7fff89e37730 a3=0 items=0 ppid=18861 pid=18869 auid=0 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=205 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null) Version-Release number of selected component (if applicable): samba-3.0.33-3.7.el5_3.1 selinux-policy-targeted-2.4.6-203.el5 How reproducible: Steps to Reproduce: 1. Install and run samba server, do not share /var/lib/mysql 2. Make /var/lib/mysql a separate file system 3. Actual results: Lots of SELinux access denial messages. System overloaded . Expected results: No SELinux 'deny' messages. Samba should not try to access /var/lib/mysql without an apparent reason, or SELinux should allow "getattr" access to samba for all mountpoints. Additional info: I think this is very much related to bug 519002. I would speculate that for some reason samba is doing stat() on all mountpoints and this is blocked when some of them have special SELinux context.
Miroslav RHEL6 has files_dontaudit_getattr_all_dirs(smbd_t)
Fixed in selinux-policy-2.4.6-281.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When a Samba server, smbd, attempted to access the content of the /var/lib/mysql/ directory, SELinux denied this access, and reported this event in the audit log. However, this access is not necessary for Samba to work properly. With this update, appropriate SELinux rules have been added to address this issue, and such access denial is no longer logged.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html