Bug 609078 - SELinux is preventing Samba (/usr/sbin/smbd) "write" access to backup-desktop.
Summary: SELinux is preventing Samba (/usr/sbin/smbd) "write" access to backup-desktop.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:8ce5b2e3537...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-29 11:46 UTC by Sean
Modified: 2010-06-29 15:42 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-06-29 15:42:09 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Sean 2010-06-29 11:46:55 UTC 
Summary:

SELinux is preventing Samba (/usr/sbin/smbd) "write" access to backup-desktop.

Detailed Description:

SELinux denied samba access to backup-desktop. If you want to share this
directory with samba it has to have a file context label of samba_share_t. If
you did not intend to use backup-desktop as a samba repository it could indicate
either a bug or it could signal a intrusion attempt. Please refer to 'man
samba_selinux' for more information on setting up Samba and SELinux.

Allowing Access:

You can alter the file context by executing chcon -R -t samba_share_t
'backup-desktop' You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t samba_share_t 'backup-desktop'"

Fix Command:

chcon -R -t samba_share_t 'backup-desktop'

Additional Information:

Source Context                system_u:system_r:smbd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:usr_t:s0
Target Objects                backup-desktop [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-3.5.3-61.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   samba_share
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.5-124.fc13.x86_64 #1 SMP
                              Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   20
First Seen                    Tue 29 Jun 2010 13:45:24 CEST
Last Seen                     Tue 29 Jun 2010 13:45:36 CEST
Local ID                      e861c7f4-0a56-4d86-b402-15d6d7340694
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1277811936.486:31068): avc:  denied  { write } for  pid=3097 comm="smbd" name="backup-desktop" dev=sda5 ino=394103 scontext=system_u:system_r:smbd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1277811936.486:31068): arch=c000003e syscall=83 success=no exit=-13 a0=7fb56e513e20 a1=1ed a2=1ed a3=19 items=0 ppid=3073 pid=3097 auid=4294967295 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  samba_share,smbd,smbd_t,usr_t,dir,write
audit2allow suggests:

#============= smbd_t ==============
#!!!! This avc can be allowed using the boolean 'samba_export_all_rw'

allow smbd_t usr_t:dir write;
Comment 1 Daniel Walsh 2010-06-29 15:28:23 UTC 
Any idea what backup-desktop is?
Comment 2 Simo Sorce 2010-06-29 15:38:54 UTC 
Sorry Dan, never heard of it.
Comment 3 Daniel Walsh 2010-06-29 15:42:09 UTC 
Seanrjs,

Sounds like a directory you are sharing via samba is not labeled correctly.  You either need to label it as samba_share_t as described in the alert or turn on the samba_export_all_rw boolean if you are sharing the entire disk.
Note You need to log in before you can comment on or make changes to this bug.