Bug 861416 - SELinux is preventing /usr/sbin/swat from 'read' accesses on the file smbd.pid.
SELinux is preventing /usr/sbin/swat from 'read' accesses on the file smbd.pid.
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-09-28 10:26 EDT by John Freed
Modified: 2012-09-28 17:55 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-09-28 11:57:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Freed 2012-09-28 10:26:44 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.11-1.fc16.x86_64
time:           Fri 28 Sep 2012 04:24:39 PM CEST

:SELinux is preventing /usr/sbin/swat from 'read' accesses on the file smbd.pid.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that swat should be allowed read access on the smbd.pid file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep swat /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:swat_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:var_run_t:s0
:Target Objects                smbd.pid [ file ]
:Source                        swat
:Source Path                   /usr/sbin/swat
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           samba-swat-3.6.6-88.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-91.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.11-1.fc16.x86_64 #1 SMP Sun Sep
:                              16 13:50:06 UTC 2012 x86_64 x86_64
:Alert Count                   12
:First Seen                    Fri 28 Sep 2012 03:20:37 PM CEST
:Last Seen                     Fri 28 Sep 2012 03:28:36 PM CEST
:Local ID                      5aa49001-4cf8-48d6-bf80-557ca82b8605
:Raw Audit Messages
:type=AVC msg=audit(1348838916.540:14802): avc:  denied  { read } for  pid=31055 comm="swat" name="smbd.pid" dev="tmpfs" ino=660037 scontext=system_u:system_r:swat_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
:type=SYSCALL msg=audit(1348838916.540:14802): arch=x86_64 syscall=open success=no exit=EACCES a0=7f775fa6feb0 a1=800 a2=1a4 a3=e items=0 ppid=1257 pid=31055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=swat exe=/usr/sbin/swat subj=system_u:system_r:swat_t:s0-s0:c0.c1023 key=(null)
:Hash: swat,swat_t,var_run_t,file,read
:#============= swat_t ==============
:allow swat_t var_run_t:file read;
:audit2allow -R
:#============= swat_t ==============
:allow swat_t var_run_t:file read;
Comment 1 Daniel Walsh 2012-09-28 11:57:27 EDT
Looks like you have a mislabeled file in /run directory.

Did you start a service by hand?

restorecon -Rv /run
Comment 2 John Freed 2012-09-28 17:55:50 EDT
hmm ... restorecon -Rv had no output. Here is ls -Z /run/*mb* 

-rw-r--r--. root root system_u:object_r:nmbd_var_run_t:s0 nmbd.pid
-rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 smbd.pid

srwxrwxrwx. root root system_u:object_r:nmbd_var_run_t:s0 unexpected

Odd that nmbd.pid is different from smbd.pid

I started it using the Swat HTML interface at localhost:901. The nmbd had been crashing, however, so I had indeed started it by hand, maybe that was the problem. In any case, no sweat, and thanks as always.

Note You need to log in before you can comment on or make changes to this bug.