Bug 693090 - SELinux is preventing /usr/sbin/smbd from using the 'sys_chroot' capabilities.
Summary: SELinux is preventing /usr/sbin/smbd from using the 'sys_chroot' capabilities.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:39cf8af439c...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-02 14:20 UTC by Dave
Modified: 2011-04-25 00:00 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.7-40.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-25 00:00:02 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Dave 2011-04-02 14:20:22 UTC 
SELinux is preventing /usr/sbin/smbd from using the 'sys_chroot' capabilities.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that smbd should have the sys_chroot capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:smbd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:smbd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-3.5.8-75.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.i686 #1
                              SMP Mon Feb 7 07:04:18 UTC 2011 i686 i686
Alert Count                   6
First Seen                    Sat 02 Apr 2011 08:19:56 AM PDT
Last Seen                     Sat 02 Apr 2011 08:20:09 AM PDT
Local ID                      f555eb3c-c5fa-428d-93ca-d0d160c80b78

Raw Audit Messages
type=AVC msg=audit(1301757609.633:683): avc:  denied  { sys_chroot } for  pid=834 comm="smbd" capability=18  scontext=system_u:system_r:smbd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:smbd_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1301757609.633:683): arch=i386 syscall=chroot success=no exit=EPERM a0=192fdc8 a1=0 a2=b13ff4 a3=19371d0 items=0 ppid=801 pid=834 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0-s0:c0.c1023 key=(null)

Hash: smbd,smbd_t,smbd_t,capability,sys_chroot

audit2allow

#============= smbd_t ==============
allow smbd_t self:capability sys_chroot;

audit2allow -R

#============= smbd_t ==============
allow smbd_t self:capability sys_chroot;
Comment 1 Miroslav Grepl 2011-04-04 10:20:16 UTC 
You can allow it for now using

# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 2 Daniel Walsh 2011-04-04 13:24:58 UTC 
I guess we need this in F13 and RHEL6.
Comment 3 Miroslav Grepl 2011-04-04 13:28:25 UTC 
(In reply to comment #2)
> I guess we need this in F13 and RHEL6.

Yes, I added it.
Comment 4 Miroslav Grepl 2011-04-04 16:51:46 UTC 
selinux-policy-3.9.7-39.fc14
Comment 5 Fedora Update System 2011-04-21 14:50:10 UTC 
selinux-policy-3.9.7-40.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-40.fc14
Comment 6 Fedora Update System 2011-04-21 22:25:45 UTC 
Package selinux-policy-3.9.7-40.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-40.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-40.fc14
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2011-04-24 23:58:57 UTC 
selinux-policy-3.9.7-40.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.