Bug 705148 - No audit logs of selinux denies for samba
No audit logs of selinux denies for samba
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2011-05-16 15:07 EDT by Joshua Weage
Modified: 2011-05-23 03:30 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-05-23 03:30:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Joshua Weage 2011-05-16 15:07:37 EDT
Description of problem:

Selinux is denying Samba access to shared directories.  The smbd.log file contains error messages, but the audit.log does not.  Setting smbd_disable_trans to on resolves the issue.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Fresh install of 5.6.
2. Setup a Samba share with security = share and guest access = ok.
Actual results:
smbd.log file contains the following errors:
'/disks/d1' does not exist of permission denied with connecting to [d1] Error was Permission denied

audit.log contains no messages for smbd.

Expected results:

Expect to see audit deny messages.

Additional info:

It appears as though other audit related messages are also not logged for Samba.  Attempting to share home directories without enabling the appropriate selinux boolean also results in no audit trail.
Comment 1 Steve Grubb 2011-05-16 19:20:55 EDT
Transferring this to SE Linux policy. This doesn't sound like an audit system problem. The AVC should be logged by SE Linux and the audit rules have no real effect (other than to add additional data). But the policy does have "no audit" controls and maybe that is causing the issue? It may be that way because a file server could flood the logs with AVCs under the right situation. Not sure...
Comment 2 Daniel Walsh 2011-05-17 03:55:12 EDT
semodule -DB 

Will turn off the dontaudit rules. (semodule -B turns them back on)

I would figure you need to label /disks directory as samba_share_t.

# semanage fcontext -a -t samba_share_t '/disks(/.*)?'
# restorecon -R -v /disks

Should fix the problem.
Comment 3 Joshua Weage 2011-05-17 14:09:41 EDT
Thanks for the responses.  I wasn't sure if this was intentional or not, but it is confusing not seeing any audit logs.

Of course setting the appropriate context resolves the problem.
Comment 4 Daniel Walsh 2011-05-18 02:03:58 EDT
What AVC's were you seeing when you disabled the dontaudits.  I think part of the problem is we have dontaudits for search of default_t directories.  In RHEL6 I believe we are now allowing search of these directories.
Comment 5 Miroslav Grepl 2011-05-19 11:35:38 EDT

# rpm -q selinux-policy
Comment 6 Joshua Weage 2011-05-20 13:52:30 EDT
Here is the AVC message:

type=AVC msg=audit(1305913412.063:15): avc:  denied  { read } for  pid=3280 comm="smbd" name="share" dev=dm-0 ino=443970 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir

[root@testbox audit]# rpm -q selinux-policy
Comment 7 Miroslav Grepl 2011-05-23 03:30:34 EDT
You will need to label /share directory

# semanage fcontext -a -t samba_share_t 'PATHTO/share(/.*)?'
# restorecon -R -v PATHTO/share

Note You need to log in before you can comment on or make changes to this bug.