Description of problem: default samba config, with one added share (file mounted via loopback, quotas set on): [global] workgroup = MYGROUP server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [zelshare] path = /tmp/zelshare read only = No This command: smbcquotas -U root%root -F //127.0.0.1/zelshare triggers this AVC denial: type=AVC msg=audit(1310569738.779:1745): avc: denied { search } for pid=10535 comm="smbd" name="boot" dev=dm-0 ino=26869761 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir type=SYSCALL msg=audit(1310569738.779:1745): arch=c0000032 syscall=1210 success=no exit=-13 a0=20000008023cadca a1=60000ffffff22e10 a2=2000000801a22630 a3=c000000000000491 items=0 ppid=9442 pid=10535 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null) # ls -di /boot/ 26869761 /boot/ Version-Release number of selected component (if applicable): samba3x-3.5.4-0.83.el5 Additional info: only happens on ia64
Can you check if you still see the AVC if you set the SELinux boolean samba_export_all_rw to true?
Ales, does it work with this AVC msg and in enforcing mode?
(In reply to comment #2) > Can you check if you still see the AVC if you set the SELinux boolean > samba_export_all_rw to true? The AVC is gone when this boolean (or even samba_export_all_ro) is on. But that is more like a workaround than a fix - why would samba try to scan /boot/ in the first place? (that's why I've filed this against samba, not selinux-policy...)
I have a fealing samba is either looking at the files/directories in / or looking at all of the filesystems that are mounted.
Looks like this is an issue on samba side, reassigning back to samba. Could you please provide justification why samba needs to "search" those directories? Thanks!
This is expected behavior. Lets assume you have quota on /data and you have a share /data/myshare and you setup [myshare] path = /data/myshare You ask the server to get the quota for a share 'myshare'. The share is translated into a path '/data/myshare'. To find the mountpoint to check for the quota we need to do a stat on the path '/data/myshare' which provides us the device id. To find the mountpoint we need to iteratate over the mountpoints and do a stat on the mountpoint to get the device id. We iterate over the mountpoints till we found the matching device id to do the quota check. So I assume /boot is on its own partition the system you're seeing this.
(In reply to comment #11) > So I assume /boot is on its own partition the system you're seeing this. The other way around. But yes, the mountpoint is the only difference I see between ia64 and other archs: i386 (where no AVC denial it logged): # mount |grep boot /dev/sda1 on /boot type ext3 (rw) ia64 (where the AVC is logged): # mount |grep boot /dev/cciss/c0d0p1 on /boot/efi type vfat (rw) Back to selinux-policy?
Miroslav lets add files_search_all_mountpoints(snmpd_t) to RHEl5 and RHEL6 Which should fix this problem.
Fixed in selinux-policy-2.4.6-317.el5
Fixed in selinux-policy-2.4.6-321.el5
Fixed in selinux-policy-2.4.6-323.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html