Setting Samba Boolean. Recommended method?
Paul Howarth
paul at city-fan.org
Fri Jan 16 10:18:41 UTC 2009
Richard Chapman wrote:
> I am running SElinux in permissive mode. I want to allow samba access to
> user home directories.
> At setroubleshooters suggestion (see below) - I did the following at a
> shell prompt:
>
> Ø *setsebool -P samba_enable_home_dirs=1
>
>
> *
>
> This seemed to solve the problem. But after a reboot the denials are
> back. I assume the boolean is not carried across a reboot.
>
> If my assumption is correct - where is the recommended place to put the:
>
> setsebool -P samba_enable_home_dirs=1
>
> command?
> Should I create a local policy module and put it there - or is there
> some other recommended place? If anyone can point me to a recommended
> procedure ...
>
> Thanks
>
> Richard.
You've done what you needed to do already - the -P option makes the
boolean persist across reboots.
> Summary:
>
> SELinux is preventing the samba daemon from reading users' home
> directories.
This summary is actually slightly misleading in this case.
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied but
> was
> permitted due to permissive mode.]
>
> SELinux has denied the samba daemon access to users' home directories.
> Someone
> is attempting to access your home directories via your samba daemon. If
> you only
> setup samba to share non-home directories, this probably signals a
> intrusion
> attempt. For more information on SELinux integration with samba, look at
> the
> samba_selinux man page. (man samba_selinux)
>
> Allowing Access:
>
> If you want samba to share home directories you need to turn on the
> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
>
> The following command will allow this access:
>
> setsebool -P samba_enable_home_dirs=1
>
> Additional Information:
>
> Source Context system_u:system_r:smbd_t
> Target Context user_u:object_r:spamassassin_home_t
> Target Objects ./.spamassassin [ dir ]
> Source smbd
> Source Path /usr/sbin/smbd
> Port <Unknown>
> Host C5.aardvark.com.au
> Source RPM Packages samba-3.0.28-1.el5_2.1
> Target RPM Packages Policy RPM
> selinux-policy-2.4.6-203.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name samba_enable_home_dirs
> Host Name C5.aardvark.com.au
> Platform Linux C5.aardvark.com.au
> 2.6.18-92.1.22.el5 #1 SMP
> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 2
> First Seen Tue 13 Jan 2009 10:59:19 PM WST
> Last Seen Tue 13 Jan 2009 10:59:23 PM WST
> Local ID 70f6525d-ce9d-40a4-a558-c3db06781ae9
> Line Numbers
> Raw Audit Messages
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:
> denied { search } for pid=8841 comm="smbd" name=".spamassassin"
> dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:
> denied { search } for pid=8841 comm="smbd" name=".spamassassin"
> dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:
> denied { getattr } for pid=8841 comm="smbd"
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:
> denied { getattr } for pid=8841 comm="smbd"
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
These denials are all for the ~/.spamassassin directory and its
contents, not the home directory in general. Browsing the majority of
the home directory would work just fine in enforcing mode.
Paul.
More information about the selinux
mailing list