Bug 623763 - smbd incorrectly references "/home" and SELinux has to block the reference.
Summary: smbd incorrectly references "/home" and SELinux has to block the reference.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-12 17:38 UTC by Bruce vaNorman
Modified: 2010-09-11 09:07 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-54.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-11 09:07:46 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Bruce vaNorman 2010-08-12 17:38:38 UTC
Description of problem:
Millions of SELinux alerts that Samba (smbd) is trying to read "/home". Thankfully, SELinux prevents this.

Version-Release number of selected component (if applicable):
3.5.4-62.fc13

How reproducible:
- I have a number of public Samba shares under /srv/... (on a separate drive) which work correctly. Note: "/home" is on a different separate drive.
- I have no Samba users and don't want any
- my Samba guest is "nobody"
- /etc/samba/smb.conf has a [homes] section. I've tried deleting it and also tried all sorts of sledge hammer tricks (path = /dev/null) to no avail.

Steps to Reproduce:
1. start smbd daemon
2.
3.
  
Actual results:
I have not found any help on the web to completely block Samba from attempting user file sharing. I have gone through many 10's of pages on how to restrict and enable this; but, none on total removal.

Expected results:
I want to stop smbd from looking at "/home" and any of it's sub-directories and to stop bugging SELinux with useless alerts.


Additional info:

Comment 1 Simo Sorce 2010-08-26 14:05:39 UTC
This is probably caused by the fact that /home is a mount point.
For internal reasons samba enumerates mount points, but doesn't try to access anything that isn't explicitly exported through a share.

I think the SELinux policy should be changed, if possible, to ignore this particular AVC on mount points.

Re-assigning to SELinux, I think it should be handled there.

Comment 2 Daniel Walsh 2010-08-26 17:45:04 UTC
Miroslav add

files_dontaudit_list_all_mountpoints(smbd_t)
########################################
## <summary>
##	Do not audit listing of all mount points.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`files_dontaudit_list_all_mountpoints',`
	gen_require(`
		attribute mountpoint;
	')

	dontaudit $1 mountpoint:dir list_dir_perms;
')

Comment 3 Miroslav Grepl 2010-08-30 17:23:46 UTC
Fixed in selinux-policy-3.7.19-52.fc13.

Comment 4 Fedora Update System 2010-09-02 14:56:46 UTC
selinux-policy-3.7.19-54.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13

Comment 5 Fedora Update System 2010-09-02 20:36:23 UTC
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13

Comment 6 Fedora Update System 2010-09-11 09:07:09 UTC
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.