Bug 623763 - smbd incorrectly references "/home" and SELinux has to block the reference.
smbd incorrectly references "/home" and SELinux has to block the reference.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-12 13:38 EDT by Bruce vaNorman
Modified: 2010-09-11 05:07 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-54.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-11 05:07:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bruce vaNorman 2010-08-12 13:38:38 EDT
Description of problem:
Millions of SELinux alerts that Samba (smbd) is trying to read "/home". Thankfully, SELinux prevents this.

Version-Release number of selected component (if applicable):
3.5.4-62.fc13

How reproducible:
- I have a number of public Samba shares under /srv/... (on a separate drive) which work correctly. Note: "/home" is on a different separate drive.
- I have no Samba users and don't want any
- my Samba guest is "nobody"
- /etc/samba/smb.conf has a [homes] section. I've tried deleting it and also tried all sorts of sledge hammer tricks (path = /dev/null) to no avail.

Steps to Reproduce:
1. start smbd daemon
2.
3.
  
Actual results:
I have not found any help on the web to completely block Samba from attempting user file sharing. I have gone through many 10's of pages on how to restrict and enable this; but, none on total removal.

Expected results:
I want to stop smbd from looking at "/home" and any of it's sub-directories and to stop bugging SELinux with useless alerts.


Additional info:
Comment 1 Simo Sorce 2010-08-26 10:05:39 EDT
This is probably caused by the fact that /home is a mount point.
For internal reasons samba enumerates mount points, but doesn't try to access anything that isn't explicitly exported through a share.

I think the SELinux policy should be changed, if possible, to ignore this particular AVC on mount points.

Re-assigning to SELinux, I think it should be handled there.
Comment 2 Daniel Walsh 2010-08-26 13:45:04 EDT
Miroslav add

files_dontaudit_list_all_mountpoints(smbd_t)
########################################
## <summary>
##	Do not audit listing of all mount points.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`files_dontaudit_list_all_mountpoints',`
	gen_require(`
		attribute mountpoint;
	')

	dontaudit $1 mountpoint:dir list_dir_perms;
')
Comment 3 Miroslav Grepl 2010-08-30 13:23:46 EDT
Fixed in selinux-policy-3.7.19-52.fc13.
Comment 4 Fedora Update System 2010-09-02 10:56:46 EDT
selinux-policy-3.7.19-54.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
Comment 5 Fedora Update System 2010-09-02 16:36:23 EDT
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
Comment 6 Fedora Update System 2010-09-11 05:07:09 EDT
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.