Bug 721041 - smbd scanning /boot when responding to quota check request
Summary: smbd scanning /boot when responding to quota check request
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.7
Hardware: ia64
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2011-07-13 15:11 UTC by Ales Zelinka
Modified: 2012-02-21 05:47 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-2.4.6-323.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-02-21 05:47:36 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0158 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-02-20 14:53:50 UTC

Description Ales Zelinka 2011-07-13 15:11:38 UTC
Description of problem:

default samba config, with one added share (file mounted via loopback, quotas set on):

	workgroup = MYGROUP
	server string = Samba Server Version %v
	log file = /var/log/samba/log.%m
	max log size = 50
	cups options = raw

	comment = Home Directories
	read only = No
	browseable = No

	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

	path = /tmp/zelshare
	read only = No

This command:

smbcquotas -U root%root  -F //

triggers this AVC denial:

type=AVC msg=audit(1310569738.779:1745): avc:  denied  { search } for  pid=10535 comm="smbd" name="boot" dev=dm-0 ino=26869761 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=SYSCALL msg=audit(1310569738.779:1745): arch=c0000032 syscall=1210 success=no exit=-13 a0=20000008023cadca a1=60000ffffff22e10 a2=2000000801a22630 a3=c000000000000491 items=0 ppid=9442 pid=10535 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)

# ls -di /boot/
26869761 /boot/

Version-Release number of selected component (if applicable):

Additional info:

only happens on ia64

Comment 2 Sumit Bose 2011-08-16 13:51:04 UTC
Can you check if you still see the AVC if you set the SELinux boolean samba_export_all_rw to true?

Comment 3 Miroslav Grepl 2011-08-22 07:43:04 UTC
does it work with this AVC msg and in enforcing mode?

Comment 4 Ales Zelinka 2011-08-23 13:11:28 UTC
(In reply to comment #2)
> Can you check if you still see the AVC if you set the SELinux boolean
> samba_export_all_rw to true?

The AVC is gone when this boolean (or even samba_export_all_ro) is on. But that is more like a workaround than a fix - why would samba try to scan /boot/ in the first place? (that's why I've filed this against samba, not selinux-policy...)

Comment 5 Daniel Walsh 2011-08-24 02:56:33 UTC
I have a fealing samba is either looking at the files/directories in / or looking at all of the filesystems that are mounted.

Comment 6 Eduard Benes 2011-08-31 12:14:17 UTC
Looks like this is an issue on samba side, reassigning back to samba. Could you please provide justification why samba needs to "search" those directories?  Thanks!

Comment 11 Andreas Schneider 2011-09-22 08:55:25 UTC
This is expected behavior.

Lets assume you have quota on /data and you have a share /data/myshare and you setup

  path = /data/myshare

You ask the server to get the quota for a share 'myshare'. The share is translated into a path '/data/myshare'.

To find the mountpoint to check for the quota we need to do a stat on the path '/data/myshare' which provides us the device id. To find the mountpoint we need to iteratate over the mountpoints and do a stat on the mountpoint to get the device id.

We iterate over the mountpoints till we found the matching device id to do the quota check.

So I assume /boot is on its own partition the system you're seeing this.

Comment 12 Ales Zelinka 2011-09-22 12:55:06 UTC
(In reply to comment #11)
> So I assume /boot is on its own partition the system you're seeing this.
The other way around. But yes, the mountpoint is the only difference I see between ia64 and other archs:

i386 (where no AVC denial it logged):
# mount |grep boot
/dev/sda1 on /boot type ext3 (rw)

ia64 (where the AVC is logged):
# mount |grep boot
/dev/cciss/c0d0p1 on /boot/efi type vfat (rw)

Back to selinux-policy?

Comment 13 Daniel Walsh 2011-09-22 15:21:51 UTC
Miroslav lets add


to RHEl5 and RHEL6 

Which should fix this problem.

Comment 14 Miroslav Grepl 2011-09-29 11:30:13 UTC
Fixed in selinux-policy-2.4.6-317.el5

Comment 21 Miroslav Grepl 2011-12-15 13:21:41 UTC
Fixed in selinux-policy-2.4.6-321.el5

Comment 24 Miroslav Grepl 2012-01-03 07:49:14 UTC
Fixed in selinux-policy-2.4.6-323.el5

Comment 26 errata-xmlrpc 2012-02-21 05:47:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.