705148 – No audit logs of selinux denies for samba

Bug 705148 - No audit logs of selinux denies for samba

Summary: No audit logs of selinux denies for samba

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-16 19:07 UTC by Joshua Weage
Modified:	2011-05-23 07:30 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-23 07:30:34 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joshua Weage 2011-05-16 19:07:37 UTC

Description of problem:

Selinux is denying Samba access to shared directories.  The smbd.log file contains error messages, but the audit.log does not.  Setting smbd_disable_trans to on resolves the issue.

Version-Release number of selected component (if applicable):
1.7.18

How reproducible:
Always

Steps to Reproduce:
1. Fresh install of 5.6.
2. Setup a Samba share with security = share and guest access = ok.
3. 
  
Actual results:
smbd.log file contains the following errors:
'/disks/d1' does not exist of permission denied with connecting to [d1] Error was Permission denied

audit.log contains no messages for smbd.

Expected results:

Expect to see audit deny messages.

Additional info:

It appears as though other audit related messages are also not logged for Samba.  Attempting to share home directories without enabling the appropriate selinux boolean also results in no audit trail.

Comment 1 Steve Grubb 2011-05-16 23:20:55 UTC

Transferring this to SE Linux policy. This doesn't sound like an audit system problem. The AVC should be logged by SE Linux and the audit rules have no real effect (other than to add additional data). But the policy does have "no audit" controls and maybe that is causing the issue? It may be that way because a file server could flood the logs with AVCs under the right situation. Not sure...

Comment 2 Daniel Walsh 2011-05-17 07:55:12 UTC

semodule -DB 

Will turn off the dontaudit rules. (semodule -B turns them back on)

I would figure you need to label /disks directory as samba_share_t.

# semanage fcontext -a -t samba_share_t '/disks(/.*)?'
# restorecon -R -v /disks


Should fix the problem.

Comment 3 Joshua Weage 2011-05-17 18:09:41 UTC

Thanks for the responses.  I wasn't sure if this was intentional or not, but it is confusing not seeing any audit logs.

Of course setting the appropriate context resolves the problem.

Comment 4 Daniel Walsh 2011-05-18 06:03:58 UTC

What AVC's were you seeing when you disabled the dontaudits.  I think part of the problem is we have dontaudits for search of default_t directories.  In RHEL6 I believe we are now allowing search of these directories.

Comment 5 Miroslav Grepl 2011-05-19 15:35:38 UTC

Also

# rpm -q selinux-policy

Comment 6 Joshua Weage 2011-05-20 17:52:30 UTC

Here is the AVC message:

type=AVC msg=audit(1305913412.063:15): avc:  denied  { read } for  pid=3280 comm="smbd" name="share" dev=dm-0 ino=443970 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir


[root@testbox audit]# rpm -q selinux-policy
selinux-policy-2.4.6-300.el5

Comment 7 Miroslav Grepl 2011-05-23 07:30:34 UTC

You will need to label /share directory

# semanage fcontext -a -t samba_share_t 'PATHTO/share(/.*)?'
# restorecon -R -v PATHTO/share

Note You need to log in before you can comment on or make changes to this bug.