First Last Prev Next    This bug is not in your last search results.
Bug 609078 - SELinux is preventing Samba (/usr/sbin/smbd) "write" access to backup-desktop.
SELinux is preventing Samba (/usr/sbin/smbd) "write" access to backup-desktop.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:8ce5b2e3537...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-29 07:46 EDT by Sean
Modified: 2010-06-29 11:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-29 11:42:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Sean 2010-06-29 07:46:55 EDT 
Summary:

SELinux is preventing Samba (/usr/sbin/smbd) "write" access to backup-desktop.

Detailed Description:

SELinux denied samba access to backup-desktop. If you want to share this
directory with samba it has to have a file context label of samba_share_t. If
you did not intend to use backup-desktop as a samba repository it could indicate
either a bug or it could signal a intrusion attempt. Please refer to 'man
samba_selinux' for more information on setting up Samba and SELinux.

Allowing Access:

You can alter the file context by executing chcon -R -t samba_share_t
'backup-desktop' You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t samba_share_t 'backup-desktop'"

Fix Command:

chcon -R -t samba_share_t 'backup-desktop'

Additional Information:

Source Context                system_u:system_r:smbd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:usr_t:s0
Target Objects                backup-desktop [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-3.5.3-61.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   samba_share
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.5-124.fc13.x86_64 #1 SMP
                              Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   20
First Seen                    Tue 29 Jun 2010 13:45:24 CEST
Last Seen                     Tue 29 Jun 2010 13:45:36 CEST
Local ID                      e861c7f4-0a56-4d86-b402-15d6d7340694
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1277811936.486:31068): avc:  denied  { write } for  pid=3097 comm="smbd" name="backup-desktop" dev=sda5 ino=394103 scontext=system_u:system_r:smbd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1277811936.486:31068): arch=c000003e syscall=83 success=no exit=-13 a0=7fb56e513e20 a1=1ed a2=1ed a3=19 items=0 ppid=3073 pid=3097 auid=4294967295 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  samba_share,smbd,smbd_t,usr_t,dir,write
audit2allow suggests:

#============= smbd_t ==============
#!!!! This avc can be allowed using the boolean 'samba_export_all_rw'

allow smbd_t usr_t:dir write;
Comment 1 Daniel Walsh 2010-06-29 11:28:23 EDT 
Any idea what backup-desktop is?
Comment 2 Simo Sorce 2010-06-29 11:38:54 EDT 
Sorry Dan, never heard of it.
Comment 3 Daniel Walsh 2010-06-29 11:42:09 EDT 
Seanrjs,

Sounds like a directory you are sharing via samba is not labeled correctly.  You either need to label it as samba_share_t as described in the alert or turn on the samba_export_all_rw boolean if you are sharing the entire disk.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.