-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Richard Chapman wrote:
Thanks Paul. Your observation that the problem is the
~/.spamassassin
directory is very enlightening.
Nonetheless - I imagine that in enforcing mode - I will get lots of
errors - and possibly samba delays - so it probably still needs fixing.
Can y0u suggest why I might have this problem - and how best to fix it?
Richard.
Paul Howarth wrote:
> Richard Chapman wrote:
>> I am running SElinux in permissive mode. I want to allow samba access
>> to user home directories.
>> At setroubleshooters suggestion (see below) - I did the following at
>> a shell prompt:
>>
>> Ø *setsebool -P samba_enable_home_dirs=1
>>
>>
>> *
>>
>> This seemed to solve the problem. But after a reboot the denials are
>> back. I assume the boolean is not carried across a reboot.
>>
>> If my assumption is correct - where is the recommended place to put the:
>>
>> setsebool -P samba_enable_home_dirs=1
>>
>> command?
>> Should I create a local policy module and put it there - or is there
>> some other recommended place? If anyone can point me to a recommended
>> procedure ...
>>
>> Thanks
>>
>> Richard.
>
> You've done what you needed to do already - the -P option makes the
> boolean persist across reboots.
>
>> Summary:
>>
>> SELinux is preventing the samba daemon from reading users' home
>> directories.
>
> This summary is actually slightly misleading in this case.
>
>> Detailed Description:
>>
>> [SELinux is in permissive mode, the operation would have been denied
>> but was
>> permitted due to permissive mode.]
>>
>> SELinux has denied the samba daemon access to users' home
>> directories. Someone
>> is attempting to access your home directories via your samba daemon.
>> If you only
>> setup samba to share non-home directories, this probably signals a
>> intrusion
>> attempt. For more information on SELinux integration with samba, look
>> at the
>> samba_selinux man page. (man samba_selinux)
>>
>> Allowing Access:
>>
>> If you want samba to share home directories you need to turn on the
>> samba_enable_home_dirs boolean: "setsebool -P
samba_enable_home_dirs=1"
>>
>> The following command will allow this access:
>>
>> setsebool -P samba_enable_home_dirs=1
>>
>> Additional Information:
>>
>> Source Context system_u:system_r:smbd_t
>> Target Context user_u:object_r:spamassassin_home_t
>> Target Objects ./.spamassassin [ dir ]
>> Source smbd
>> Source Path /usr/sbin/smbd
>> Port <Unknown>
>> Host C5.aardvark.com.au
>> Source RPM Packages samba-3.0.28-1.el5_2.1
>> Target RPM Packages Policy RPM
>> selinux-policy-2.4.6-203.el5
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Permissive
>> Plugin Name samba_enable_home_dirs
>> Host Name C5.aardvark.com.au
>> Platform Linux C5.aardvark.com.au
>> 2.6.18-92.1.22.el5 #1 SMP
>> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count 2
>> First Seen Tue 13 Jan 2009 10:59:19 PM WST
>> Last Seen Tue 13 Jan 2009 10:59:23 PM WST
>> Local ID 70f6525d-ce9d-40a4-a558-c3db06781ae9
>> Line Numbers Raw Audit Messages
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>> avc: denied { search } for pid=8841 comm="smbd"
>> name=".spamassassin" dev=dm-0 ino=26155019
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>> avc: denied { search } for pid=8841 comm="smbd"
>> name=".spamassassin" dev=dm-0 ino=26155019
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>> avc: denied { getattr } for pid=8841 comm="smbd"
>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
>> avc: denied { getattr } for pid=8841 comm="smbd"
>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>>
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>
> These denials are all for the ~/.spamassassin directory and its
> contents, not the home directory in general. Browsing the majority of
> the home directory would work just fine in enforcing mode.
>
> Paul.
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list THis is a bug in
policy.
Samba should be able to read all content in the home directory.
Really need a new interface designed.
#######################################
## <summary>
## Manage any content in the home directory
## </summary>
## <param name="userdomain">
## <summary>
## The user domain
## </summary>
## </param>
## <rolebase/>
#
interface(`userdom_manage_home_content',`
gen_require(`
type user_home_dir_t;
attribute user_home_type;
')
files_list_home($1)
manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
manage_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
manage_lnk_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
manage_sock_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
manage_fifo_files_pattern($1, { user_home_dir_t user_home_type },
user_home_type)
filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file
sock_file fifo_file })
')
And
tunable_policy(`samba_enable_home_dirs',`
userdom_manage_home_content(smbd_t)
')
I have added this to rawhide, please open a bugzilla for this in F10.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkmHP0EACgkQrlYvE4MpobNWzACfS3xX+Nh5tofzMSnzl6j5sAng
Zv0AoL+9K5Qy9iui5wFT3YzqOaMnHaDj
=Wxbi
-----END PGP SIGNATURE-----