Bug 721041 - smbd scanning /boot when responding to quota check request
smbd scanning /boot when responding to quota check request
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
ia64 Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-13 11:11 EDT by Ales Zelinka
Modified: 2012-02-21 00:47 EST (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-323.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 00:47:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ales Zelinka 2011-07-13 11:11:38 EDT
Description of problem:

default samba config, with one added share (file mounted via loopback, quotas set on):

[global]
	workgroup = MYGROUP
	server string = Samba Server Version %v
	log file = /var/log/samba/log.%m
	max log size = 50
	cups options = raw

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

[zelshare]
	path = /tmp/zelshare
	read only = No


This command:

smbcquotas -U root%root  -F //127.0.0.1/zelshare

triggers this AVC denial:

type=AVC msg=audit(1310569738.779:1745): avc:  denied  { search } for  pid=10535 comm="smbd" name="boot" dev=dm-0 ino=26869761 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=SYSCALL msg=audit(1310569738.779:1745): arch=c0000032 syscall=1210 success=no exit=-13 a0=20000008023cadca a1=60000ffffff22e10 a2=2000000801a22630 a3=c000000000000491 items=0 ppid=9442 pid=10535 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)

# ls -di /boot/
26869761 /boot/


Version-Release number of selected component (if applicable):
samba3x-3.5.4-0.83.el5

Additional info:

only happens on ia64
Comment 2 Sumit Bose 2011-08-16 09:51:04 EDT
Can you check if you still see the AVC if you set the SELinux boolean samba_export_all_rw to true?
Comment 3 Miroslav Grepl 2011-08-22 03:43:04 EDT
Ales,
does it work with this AVC msg and in enforcing mode?
Comment 4 Ales Zelinka 2011-08-23 09:11:28 EDT
(In reply to comment #2)
> Can you check if you still see the AVC if you set the SELinux boolean
> samba_export_all_rw to true?

The AVC is gone when this boolean (or even samba_export_all_ro) is on. But that is more like a workaround than a fix - why would samba try to scan /boot/ in the first place? (that's why I've filed this against samba, not selinux-policy...)
Comment 5 Daniel Walsh 2011-08-23 22:56:33 EDT
I have a fealing samba is either looking at the files/directories in / or looking at all of the filesystems that are mounted.
Comment 6 Eduard Benes 2011-08-31 08:14:17 EDT
Looks like this is an issue on samba side, reassigning back to samba. Could you please provide justification why samba needs to "search" those directories?  Thanks!
Comment 11 Andreas Schneider 2011-09-22 04:55:25 EDT
This is expected behavior.

Lets assume you have quota on /data and you have a share /data/myshare and you setup

[myshare]
  path = /data/myshare

You ask the server to get the quota for a share 'myshare'. The share is translated into a path '/data/myshare'.

To find the mountpoint to check for the quota we need to do a stat on the path '/data/myshare' which provides us the device id. To find the mountpoint we need to iteratate over the mountpoints and do a stat on the mountpoint to get the device id.

We iterate over the mountpoints till we found the matching device id to do the quota check.

So I assume /boot is on its own partition the system you're seeing this.
Comment 12 Ales Zelinka 2011-09-22 08:55:06 EDT
(In reply to comment #11)
> So I assume /boot is on its own partition the system you're seeing this.
The other way around. But yes, the mountpoint is the only difference I see between ia64 and other archs:

i386 (where no AVC denial it logged):
# mount |grep boot
/dev/sda1 on /boot type ext3 (rw)


ia64 (where the AVC is logged):
# mount |grep boot
/dev/cciss/c0d0p1 on /boot/efi type vfat (rw)

Back to selinux-policy?
Comment 13 Daniel Walsh 2011-09-22 11:21:51 EDT
Miroslav lets add

files_search_all_mountpoints(snmpd_t)

to RHEl5 and RHEL6 

Which should fix this problem.
Comment 14 Miroslav Grepl 2011-09-29 07:30:13 EDT
Fixed in selinux-policy-2.4.6-317.el5
Comment 21 Miroslav Grepl 2011-12-15 08:21:41 EST
Fixed in selinux-policy-2.4.6-321.el5
Comment 24 Miroslav Grepl 2012-01-03 02:49:14 EST
Fixed in selinux-policy-2.4.6-323.el5
Comment 26 errata-xmlrpc 2012-02-21 00:47:36 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html

Note You need to log in before you can comment on or make changes to this bug.