libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.4.9-2.fc16.x86_64 time: Wed 19 Sep 2012 10:37:31 AM EDT description: :SELinux is preventing /usr/sbin/smbd from 'search' accesses on the directory /usr/share/man. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that smbd should be allowed search access on the man directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep smbd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:smbd_t:s0 :Target Context system_u:object_r:man_t:s0 :Target Objects /usr/share/man [ dir ] :Source smbd :Source Path /usr/sbin/smbd :Port <Unknown> :Host (removed) :Source RPM Packages samba-3.6.6-88.fc16.x86_64 :Target RPM Packages filesystem-2.4.44-1.fc16.x86_64 :Policy RPM selinux-policy-3.10.0-91.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.4.9-2.fc16.x86_64 #1 SMP Thu Aug 23 : 17:51:29 UTC 2012 x86_64 x86_64 :Alert Count 3 :First Seen Wed 19 Sep 2012 10:36:10 AM EDT :Last Seen Wed 19 Sep 2012 10:36:10 AM EDT :Local ID ee795496-ef07-4ef1-8d89-f1a6fd6537da : :Raw Audit Messages :type=AVC msg=audit(1348065370.650:5620): avc: denied { search } for pid=17328 comm="smbd" name="man" dev="dm-0" ino=1060 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1348065370.650:5620): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f03a57a50e0 a1=7fff94aa9420 a2=7fff94aa9420 a3=74 items=0 ppid=1625 pid=17328 auid=4294967295 uid=0 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) : :Hash: smbd,smbd_t,man_t,dir,search : :audit2allow : :#============= smbd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# samba_export_all_ro, samba_export_all_rw : :allow smbd_t man_t:dir search; : :audit2allow -R : :#============= smbd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# samba_export_all_ro, samba_export_all_rw : :allow smbd_t man_t:dir search; :
*** Bug 858740 has been marked as a duplicate of this bug. ***
:#============= smbd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# samba_export_all_ro, samba_export_all_rw
Daniel, The smb.conf comments state: # Use the samba_export_all_ro or samba_export_all_rw Boolean to share system # directories... Maybe this is a bug in smbd, but I do not have /usr/share/man or /usr/bin/ exported via samba. So as I understand it, I shouldn't have to set samba_export_all_ro and samba_export_all_rw. My smb.conf exports are: [homes] (standard) [printers] (standard) [vartmp] (local share of /var/tmp) So for some reason the smbd is trying to access /usr/share/man and /usr/bin/wodim (bug 858740) and /usr/sbin/ssmtp (bug 858739). By the way, this seems to be new -- I haven't seen this before today.
Well lets assign this to samba and see if they have any idea?
For reference, here is my smb.conf: http://pastebin.com/6m1UHdcm
Are you sure this is really smbd. We don't call wodim nor ssmtp. I also don't find any reference in the code that we would scan the man directory. Why does the report state: executable: /usr/bin/python2.7 ???
Can we get samba log files of that time?
I believe python 2.7 is the executable of the selinux libreport tool, not the process doing the access. The rest of the report shows clearly smbd as the process in question. I guess it could be some sort of bug in the selinux auditing code. I don't see anything in the samba log files at Sep 19th, you can see the last time the Samba logs were written was: [root@edison ~]# ls -al /var/log/samba/ total 24 drwx------. 4 root root 4096 Jun 26 10:25 . drwxr-xr-x. 20 root root 4096 Sep 21 03:43 .. drwx------. 4 root root 4096 May 31 02:13 cores -rw-r--r--. 1 root root 0 May 31 02:25 log.192.168.1.3 -rw-r--r--. 1 root root 0 Jun 5 03:25 log.newton -rw-r--r--. 1 root root 708 Sep 17 13:14 log.nmbd -rw-r--r--. 1 root root 257 Sep 17 13:14 log.smbd drwx------. 2 root root 4096 Sep 16 03:30 old However, the PID given in the Selinux alert denial (pid=17328) is still valid as of now: [root@edison ~]# ps -ef | grep smb | grep -v grep root 1625 1 0 Sep17 ? 00:00:00 /usr/sbin/smbd root 1679 1625 0 Sep17 ? 00:00:00 /usr/sbin/smbd root 17328 1625 0 Sep18 ? 00:00:02 /usr/sbin/smbd For reference here are the complete audit logs referencing smbd (grep smbd /var/log/audit/audit.log.1): http://pastebin.com/raw.php?i=jcGYj3Bp
Who is the user with the uid 1000.
That is my normal user account: [root@edison ~]# grep 1000 /etc/passwd raman:x:1000:1000:Raman Gupta:/home/raman:/bin/bash
Cause this user tried to access the directory and tried to execute the binaries.
How can that be if smbd does not share that directory? You can see the shares I have exposed in my smbd.conf.
Which samba version are you running?
rpm -qi samba
[root@edison ~]# rpm -qi samba Name : samba Epoch : 1 Version : 3.6.6 Release : 88.fc16 Architecture: x86_64 Install Date: Thu 05 Jul 2012 11:49:45 PM EDT Group : System Environment/Daemons Size : 18505343 License : GPLv3+ and LGPLv3+ Signature : RSA/SHA256, Tue 26 Jun 2012 12:54:03 PM EDT, Key ID 067f00b6a82ba4b7 Source RPM : samba-3.6.6-88.fc16.src.rpm Build Date : Tue 26 Jun 2012 10:26:10 AM EDT Build Host : x86-14.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.samba.org/ Summary : Server and Client software to interoperate with Windows machines Description : Samba is the suite of programs by which a lot of PC-related machines share files, printers, and other information (such as lists of available files and printers). The Windows NT, OS/2, and Linux operating systems support this natively, and add-on packages can enable the same thing for DOS, Windows, VMS, UNIX of all kinds, MVS, and more. This package provides an SMB/CIFS server that can be used to provide network services to SMB/CIFS clients. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need the NetBEUI (Microsoft Raw NetBIOS frame) protocol.
[root@edison ~]# rpm -V samba [root@edison ~]#
This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
We are unable to reproduce the reported issue. If you can reproduce it with the latest version and give detailed information how to reproduce it, we're happy to fix it.