Bug 858738 - SELinux is preventing /usr/sbin/smbd from 'search' accesses on the directory /usr/share/man.
SELinux is preventing /usr/sbin/smbd from 'search' accesses on the directory ...
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Guenther Deschner
Fedora Extras Quality Assurance
: Reopened
: 858740 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2012-09-19 10:37 EDT by Raman Gupta
Modified: 2013-02-07 08:17 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-07 08:17:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Raman Gupta 2012-09-19 10:37:57 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.9-2.fc16.x86_64
time:           Wed 19 Sep 2012 10:37:31 AM EDT

:SELinux is preventing /usr/sbin/smbd from 'search' accesses on the directory /usr/share/man.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that smbd should be allowed search access on the man directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:smbd_t:s0
:Target Context                system_u:object_r:man_t:s0
:Target Objects                /usr/share/man [ dir ]
:Source                        smbd
:Source Path                   /usr/sbin/smbd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           samba-3.6.6-88.fc16.x86_64
:Target RPM Packages           filesystem-2.4.44-1.fc16.x86_64
:Policy RPM                    selinux-policy-3.10.0-91.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.9-2.fc16.x86_64 #1 SMP Thu Aug 23
:                              17:51:29 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    Wed 19 Sep 2012 10:36:10 AM EDT
:Last Seen                     Wed 19 Sep 2012 10:36:10 AM EDT
:Local ID                      ee795496-ef07-4ef1-8d89-f1a6fd6537da
:Raw Audit Messages
:type=AVC msg=audit(1348065370.650:5620): avc:  denied  { search } for  pid=17328 comm="smbd" name="man" dev="dm-0" ino=1060 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
:type=SYSCALL msg=audit(1348065370.650:5620): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f03a57a50e0 a1=7fff94aa9420 a2=7fff94aa9420 a3=74 items=0 ppid=1625 pid=17328 auid=4294967295 uid=0 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null)
:Hash: smbd,smbd_t,man_t,dir,search
:#============= smbd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     samba_export_all_ro, samba_export_all_rw
:allow smbd_t man_t:dir search;
:audit2allow -R
:#============= smbd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     samba_export_all_ro, samba_export_all_rw
:allow smbd_t man_t:dir search;
Comment 1 Daniel Walsh 2012-09-19 20:00:30 EDT
*** Bug 858740 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2012-09-19 20:01:31 EDT
:#============= smbd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     samba_export_all_ro, samba_export_all_rw
Comment 3 Raman Gupta 2012-09-19 21:42:51 EDT

The smb.conf comments state:

# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories...

Maybe this is a bug in smbd, but I do not have /usr/share/man or /usr/bin/ exported via samba. So as I understand it, I shouldn't have to set samba_export_all_ro and samba_export_all_rw.

My smb.conf exports are:

[homes]  (standard)
[printers]  (standard)
[vartmp]  (local share of /var/tmp)

So for some reason the smbd is trying to access /usr/share/man and /usr/bin/wodim  (bug 858740) and /usr/sbin/ssmtp (bug 858739).

By the way, this seems to be new -- I haven't seen this before today.
Comment 4 Daniel Walsh 2012-09-19 21:45:07 EDT
Well lets assign this to samba and see if they have any idea?
Comment 5 Raman Gupta 2012-09-19 21:54:23 EDT
For reference, here is my smb.conf: http://pastebin.com/6m1UHdcm
Comment 6 Andreas Schneider 2012-09-21 05:33:12 EDT
Are you sure this is really smbd. We don't call wodim nor ssmtp. I also don't find any reference in the code that we would scan the man directory.

Why does the report state:

executable:     /usr/bin/python2.7

Comment 7 Andreas Schneider 2012-09-21 05:59:06 EDT
Can we get samba log files of that time?
Comment 8 Raman Gupta 2012-09-21 08:10:59 EDT
I believe python 2.7 is the executable of the selinux libreport tool, not the process doing the access. The rest of the report shows clearly smbd as the process in question. I guess it could be some sort of bug in the selinux auditing code.

I don't see anything in the samba log files at Sep 19th, you can see the last time the Samba logs were written was:

[root@edison ~]# ls -al /var/log/samba/
total 24
drwx------.  4 root root 4096 Jun 26 10:25 .
drwxr-xr-x. 20 root root 4096 Sep 21 03:43 ..
drwx------.  4 root root 4096 May 31 02:13 cores
-rw-r--r--.  1 root root    0 May 31 02:25 log.
-rw-r--r--.  1 root root    0 Jun  5 03:25 log.newton
-rw-r--r--.  1 root root  708 Sep 17 13:14 log.nmbd
-rw-r--r--.  1 root root  257 Sep 17 13:14 log.smbd
drwx------.  2 root root 4096 Sep 16 03:30 old
However, the PID given in the Selinux alert denial (pid=17328) is still valid as of now:

[root@edison ~]# ps -ef | grep smb | grep -v grep
root      1625     1  0 Sep17 ?        00:00:00 /usr/sbin/smbd
root      1679  1625  0 Sep17 ?        00:00:00 /usr/sbin/smbd
root     17328  1625  0 Sep18 ?        00:00:02 /usr/sbin/smbd

For reference here are the complete audit logs referencing smbd (grep smbd /var/log/audit/audit.log.1):

Comment 10 Andreas Schneider 2012-09-21 08:25:23 EDT
Who is the user with the uid 1000.
Comment 11 Raman Gupta 2012-09-21 08:29:54 EDT
That is my normal user account:

[root@edison ~]# grep 1000 /etc/passwd
raman:x:1000:1000:Raman Gupta:/home/raman:/bin/bash
Comment 12 Andreas Schneider 2012-09-21 11:25:01 EDT
Cause this user tried to access the directory and tried to execute the binaries.
Comment 13 Raman Gupta 2012-09-21 13:02:50 EDT
How can that be if smbd does not share that directory? You can see the shares I have exposed in my smbd.conf.
Comment 14 Andreas Schneider 2012-09-24 06:37:48 EDT
Which samba version are you running?
Comment 15 Andreas Schneider 2012-09-24 06:40:14 EDT
rpm -qi samba
Comment 16 Raman Gupta 2012-09-24 10:06:50 EDT
[root@edison ~]# rpm -qi samba
Name        : samba                                                                                                                                                                                                                                                                          
Epoch       : 1                                                                                                                                                                                                                                                                              
Version     : 3.6.6                                                                                                                                                                                                                                                                          
Release     : 88.fc16                                                                                                                                                                                                                                                                        
Architecture: x86_64                                                                                                                                                                                                                                                                         
Install Date: Thu 05 Jul 2012 11:49:45 PM EDT                                                                                                                                                                                                                                                
Group       : System Environment/Daemons                                                                                                                                                                                                                                                     
Size        : 18505343                                                                                                                                                                                                                                                                       
License     : GPLv3+ and LGPLv3+                                                                                                                                                                                                                                                             
Signature   : RSA/SHA256, Tue 26 Jun 2012 12:54:03 PM EDT, Key ID 067f00b6a82ba4b7                                                                                                                                                                                                           
Source RPM  : samba-3.6.6-88.fc16.src.rpm                                                                                                                                                                                                                                                    
Build Date  : Tue 26 Jun 2012 10:26:10 AM EDT                                                                                                                                                                                                                                                
Build Host  : x86-14.phx2.fedoraproject.org                                                                                                                                                                                                                                                  
Relocations : (not relocatable)                                                                                                                                                                                                                                                              
Packager    : Fedora Project                                                                                                                                                                                                                                                                 
Vendor      : Fedora Project                                                                                                                                                                                                                                                                 
URL         : http://www.samba.org/                                                                                                                                                                                                                                                          
Summary     : Server and Client software to interoperate with Windows machines                                                                                                                                                                                                               
Description :                                                                                                                                                                                                                                                                                
Samba is the suite of programs by which a lot of PC-related machines                                                                                                                                                                                                                         
share files, printers, and other information (such as lists of                                                                                                                                                                                                                               
available files and printers). The Windows NT, OS/2, and Linux
operating systems support this natively, and add-on packages can
enable the same thing for DOS, Windows, VMS, UNIX of all kinds, MVS,
and more. This package provides an SMB/CIFS server that can be used to
provide network services to SMB/CIFS clients.
Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT
need the NetBEUI (Microsoft Raw NetBIOS frame) protocol.
Comment 17 Raman Gupta 2012-09-24 10:07:41 EDT
[root@edison ~]# rpm -V samba
[root@edison ~]#
Comment 18 Fedora End Of Life 2013-01-16 17:42:30 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 19 Andreas Schneider 2013-02-07 08:17:40 EST
We are unable to reproduce the reported issue. If you can reproduce it with the latest version and give detailed information how to reproduce it, we're happy to fix it.

Note You need to log in before you can comment on or make changes to this bug.