Bug 845586 - SELinux is preventing /usr/sbin/smbd from 'getattr' accesses on the file /home/roddy/.ICEauthority.
Summary: SELinux is preventing /usr/sbin/smbd from 'getattr' accesses on the file /hom...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:4de5adbe7f7f03bd871cd43365b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-03 14:02 UTC by roddy
Modified: 2012-08-14 20:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-06 18:12:48 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description roddy 2012-08-03 14:02:19 UTC
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.5.0-2.fc17.x86_64
time:           ven. 03 août 2012 18:01:49 RET

description:
:SELinux is preventing /usr/sbin/smbd from 'getattr' accesses on the file /home/roddy/.ICEauthority.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that smbd should be allowed getattr access on the .ICEauthority file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:smbd_t:s0
:Target Context                unconfined_u:object_r:iceauth_home_t:s0
:Target Objects                /home/roddy/.ICEauthority [ file ]
:Source                        smbd
:Source Path                   /usr/sbin/smbd
:Port                          <Inconnu>
:Host                          (removed)
:Source RPM Packages           samba-3.6.6-91.fc17.1.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-142.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.0-2.fc17.x86_64 #1
:                              SMP Mon Jul 30 14:48:59 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    ven. 03 août 2012 17:50:36 RET
:Last Seen                     ven. 03 août 2012 17:50:36 RET
:Local ID                      bc6c03d3-8e97-4562-9f14-0889cb423905
:
:Raw Audit Messages
:type=AVC msg=audit(1344001836.238:119): avc:  denied  { getattr } for  pid=2642 comm="smbd" path="/home/roddy/.ICEauthority" dev="dm-2" ino=131985 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:iceauth_home_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1344001836.238:119): arch=x86_64 syscall=stat success=yes exit=0 a0=7f48bf4ca9e0 a1=7fffc29a3960 a2=7fffc29a3960 a3=0 items=0 ppid=1085 pid=2642 auid=4294967295 uid=0 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
:
:Hash: smbd,smbd_t,iceauth_home_t,file,getattr
:
:audit2allow
:
:#============= smbd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     samba_export_all_ro, samba_enable_home_dirs, samba_export_all_rw
:
:allow smbd_t iceauth_home_t:file getattr;
:
:audit2allow -R
:
:#============= smbd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     samba_export_all_ro, samba_enable_home_dirs, samba_export_all_rw
:
:allow smbd_t iceauth_home_t:file getattr;
:

Comment 1 Daniel Walsh 2012-08-06 18:12:48 UTC
If you are sharing your homedir via samba turn on the samba_enable_home_dirs booleans.

If you want to allow samba to share users home directories.
Then you must tell SELinux about this by enabling the 'samba_enable_home_dirs' boolean.You can read 'iceauth_selinux' man page for more details.
Do
setsebool -P samba_enable_home_dirs 1

Comment 2 roddy 2012-08-07 06:33:55 UTC
(In reply to comment #1)
> If you are sharing your homedir via samba turn on the samba_enable_home_dirs
> booleans.
> 
> If you want to allow samba to share users home directories.
> Then you must tell SELinux about this by enabling the
> 'samba_enable_home_dirs' boolean.You can read 'iceauth_selinux' man page for
> more details.
> Do
> setsebool -P samba_enable_home_dirs 1

Hi Daniel Walsh,

Do you mean 
# setsebool -P samba_enable_home_dirs=1

but nmb.service failed to start at boot

# systemctl --all | grep failed
nmb.service               loaded failed   failed        Samba NMB Daemon

# systemctl status nmb.service
nmb.service - Samba NMB Daemon
          Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled)
          Active: failed (Result: exit-code) since Tue, 07 Aug 2012 07:36:49 +0400; 2h 55min ago
         Process: 955 ExecStart=/usr/sbin/nmbd $NMBDOPTIONS (code=exited, status=0/SUCCESS)
        Main PID: 962 (code=exited, status=1/FAILURE)
          CGroup: name=systemd:/system/nmb.service

Should i open another post?

Thank you very much

Have a nice day

Comment 3 Daniel Walsh 2012-08-13 20:25:47 UTC
If you turn this boolean on does the service start?

Comment 4 roddy 2012-08-13 21:25:45 UTC
(In reply to comment #3)
> If you turn this boolean on does the service start?

samba_export_all_ro is on
samba_enable_home_dirs is on
samba_export_all_rw is on

When I do a systemctl status nmb.service after a fresh boot, it shows that nmb is enabled, but it fails to start. Weird.

Please let me know if I missed something.

Best regards

Comment 5 Daniel Walsh 2012-08-13 21:46:31 UTC
Are you seeing any AVC's

ausearch -m avc -ts recent 

After boot.

Comment 6 roddy 2012-08-14 06:11:55 UTC
(In reply to comment #5)
> Are you seeing any AVC's
> 
> ausearch -m avc -ts recent 
> 
> After boot.

# ausearch -m avc -ts recent 
<no matches>

Regards

Roddy

Comment 7 Daniel Walsh 2012-08-14 14:55:47 UTC
If you start the service using systemctl, does it start?

Comment 8 roddy 2012-08-14 17:35:57 UTC
(In reply to comment #7)
> If you start the service using systemctl, does it start?

Unfortunately not..really weird

# systemctl status nmb.service
nmb.service - Samba NMB Daemon
          Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled)
          Active: failed (Result: exit-code) since Tue, 14 Aug 2012 21:32:16 +0400; 7s ago
         Process: 4141 ExecStart=/usr/sbin/nmbd $NMBDOPTIONS (code=exited, status=0/SUCCESS)                                                                                     
        Main PID: 4142 (code=exited, status=1/FAILURE)                                                                                                                           
          CGroup: name=systemd:/system/nmb.service

but samba is working fine

# systemctl status smb.service                                                                                                                               
smb.service - Samba SMB Daemon                                                                                                                                                   
          Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled)                                                                                                          
          Active: active (running) since Tue, 14 Aug 2012 17:01:18 +0400; 4h 32min ago                                                                                           
         Process: 1000 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=0/SUCCESS)                                                                                     
        Main PID: 1027 (smbd)                                                                                                                                                    
          CGroup: name=systemd:/system/smb.service                                                                                                                               
                  ├ 1027 /usr/sbin/smbd
                  └ 1028 /usr/sbin/smbd

Comment 9 Daniel Walsh 2012-08-14 19:06:48 UTC
Any avcs in this case?

systemctl start nmb.service
ausearch -m avc -ts recent

Comment 10 roddy 2012-08-14 19:49:46 UTC
(In reply to comment #9)
> Any avcs in this case?
> 
> systemctl start nmb.service
> ausearch -m avc -ts recent

After starting nmb.service again there is no AVCS

# ausearch -m avc -ts recent
<no matches>

Perhaps this message from /var/log/samba/log.nmbd could help

[2012/08/14 23:28:18,  0] nmbd/nmbd.c:861(main)
  nmbd version 3.6.6-92.fc17 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2011
[2012/08/14 23:28:18,  0] nmbd/nmbd.c:889(main)
  standard input is not a socket, assuming -D option
[2012/08/14 23:28:18,  0] lib/util_sock.c:667(open_socket_in)
  bind failed on port 137 socket_addr = 192.168.10.2.
  Error = Ne peut attribuer l'adresse demandée
[2012/08/14 23:28:18,  0] nmbd/nmbd_subnetdb.c:113(make_subnet)
  nmbd_subnetdb:make_subnet()
    Failed to open nmb socket on interface 192.168.10.2 for port 137.  Error was Ne peut attribuer l'adresse demandée
[2012/08/14 23:28:18,  0] nmbd/nmbd.c:975(main)
  ERROR: Failed when creating subnet lists. Exiting.

Best regards

Roddy

Comment 11 roddy 2012-08-14 20:29:25 UTC
Hi,

Problem solved in /etc/samba/smb.conf

There was a bad interface setting.

Thank you very much.

Best Regards

Roddy


Note You need to log in before you can comment on or make changes to this bug.