Bug 861416 - SELinux is preventing /usr/sbin/swat from 'read' accesses on the file smbd.pid.
Summary: SELinux is preventing /usr/sbin/swat from 'read' accesses on the file smbd.pid.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:0f521aea05f538333f31ef96fc0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-28 14:26 UTC by John Freed
Modified: 2012-09-28 21:55 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-09-28 15:57:27 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description John Freed 2012-09-28 14:26:44 UTC 
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.11-1.fc16.x86_64
time:           Fri 28 Sep 2012 04:24:39 PM CEST

description:
:SELinux is preventing /usr/sbin/swat from 'read' accesses on the file smbd.pid.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that swat should be allowed read access on the smbd.pid file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep swat /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:swat_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:var_run_t:s0
:Target Objects                smbd.pid [ file ]
:Source                        swat
:Source Path                   /usr/sbin/swat
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           samba-swat-3.6.6-88.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-91.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.11-1.fc16.x86_64 #1 SMP Sun Sep
:                              16 13:50:06 UTC 2012 x86_64 x86_64
:Alert Count                   12
:First Seen                    Fri 28 Sep 2012 03:20:37 PM CEST
:Last Seen                     Fri 28 Sep 2012 03:28:36 PM CEST
:Local ID                      5aa49001-4cf8-48d6-bf80-557ca82b8605
:
:Raw Audit Messages
:type=AVC msg=audit(1348838916.540:14802): avc:  denied  { read } for  pid=31055 comm="swat" name="smbd.pid" dev="tmpfs" ino=660037 scontext=system_u:system_r:swat_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1348838916.540:14802): arch=x86_64 syscall=open success=no exit=EACCES a0=7f775fa6feb0 a1=800 a2=1a4 a3=e items=0 ppid=1257 pid=31055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=swat exe=/usr/sbin/swat subj=system_u:system_r:swat_t:s0-s0:c0.c1023 key=(null)
:
:Hash: swat,swat_t,var_run_t,file,read
:
:audit2allow
:
:#============= swat_t ==============
:allow swat_t var_run_t:file read;
:
:audit2allow -R
:
:#============= swat_t ==============
:allow swat_t var_run_t:file read;
:
Comment 1 Daniel Walsh 2012-09-28 15:57:27 UTC 
Looks like you have a mislabeled file in /run directory.

Did you start a service by hand?

restorecon -Rv /run
Comment 2 John Freed 2012-09-28 21:55:50 UTC 
hmm ... restorecon -Rv had no output. Here is ls -Z /run/*mb* 

-rw-r--r--. root root system_u:object_r:nmbd_var_run_t:s0 nmbd.pid
-rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 smbd.pid

nmbd:
srwxrwxrwx. root root system_u:object_r:nmbd_var_run_t:s0 unexpected

Odd that nmbd.pid is different from smbd.pid

I started it using the Swat HTML interface at localhost:901. The nmbd had been crashing, however, so I had indeed started it by hand, maybe that was the problem. In any case, no sweat, and thanks as always.
Note You need to log in before you can comment on or make changes to this bug.