F13: SELinux is preventing /usr/sbin/smbd "quotaget" access

Daniel J Walsh dwalsh at redhat.com
Fri Oct 1 15:38:06 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2010 11:32 AM, Daniel B. Thurman wrote:
>  On 10/01/2010 08:07 AM, Dominick Grift wrote:
>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
>>> Below happened 224 times.
>>>
>>> How can I fix this?
>> I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object?
>>
> I think this problem might be related to mount & /etc/fstab:
> 
> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
> context=system_u:object_r:samba_share_t:s0,defaults  0 0
> 
> As before I was able to do:
> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
> context=system_u:object_r:samba_share_t:s0  0 0
> 
> Some recent release changed in the mount/fstab command/file
> such that it would not allow context only definition in the mount
> options argument in fstab and resulted preventing ntfs filesystems
> to be mounted at boot time, spewing out "argument required" errors
> for each ntfs mount attempted from the /etc/fstab file.  Adding
> ',defaults' to the option along with the context argument worked,
> except that having the 'defaults' argument also means SELinux
> will attempt to verify/enforce SELinux context information within
> the NTFS filesystems (which makes no sense), causing AVC denials,
> or so I think.
> 
> This is probably a bug, IMO.
> 
> I would like to know if anyone has already reported this issue
> to bugzilla, so that I can remove the ',defaults' entry from
> fstab for NTFS mounted filesystems.
> 
>>> ===========================================================================
>>> Summary:
>>>
>>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by smbd. It is not expected that this
>>> access is
>>> required by smbd and this access may signal an intrusion attempt. It is also
>>> possible that the specific version or configuration of the application is
>>> causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
>>> report.
>>>
>>> Additional Information:
>>>
>>> Source Context                system_u:system_r:smbd_t:s0
>>> Target Context                system_u:object_r:samba_share_t:s0
>>> Target Objects                None [ filesystem ]
>>> Source                        smbd
>>> Source Path                   /usr/sbin/smbd
>>> Port                          <Unknown>
>>> Host                          (removed)
>>> Source RPM Packages           samba-3.5.5-68.fc13
>>> Target RPM Packages
>>> Policy RPM                    selinux-policy-3.7.19-57.fc13
>>> Selinux Enabled               True
>>> Policy Type                   targeted
>>> Enforcing Mode                Enforcing
>>> Plugin Name                   catchall
>>> Host Name                     (removed)
>>> Platform                      Linux host.domain.com
>>> 2.6.34.6-54.fc13.i686 #1 SMP
>>>                               Sun Sep 5 17:52:31 UTC 2010 i686 i686
>>> Alert Count                   224
>>> First Seen                    Thu 30 Sep 2010 11:32:04 AM PDT
>>> Last Seen                     Thu 30 Sep 2010 09:18:41 PM PDT
>>> Local ID                      01035ab1-2396-4e92-9b1e-09645d976534
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
>>> denied  { quotaget } for  pid=17451 comm="smbd"
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
>>>
>>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none)
>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
>>> subj=system_u:system_r:smbd_t:s0 key=(null)
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Yes this is samba checking to see if quota is being enforced on the
filesystem,  And it should be allowed.


Miroslav can you add

allow smbd_t samba_share_t:filesystem { getattr quotaget };

To F13 policy.

Daniel, for now you can add this rule using audit2allow.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkymAF4ACgkQrlYvE4MpobMH5wCglLYNEZSEVXfm1Bl+f6lAfQIi
zk4AnRgIsIWBcs96R/ELqyTFwUcfUYVt
=E2no
-----END PGP SIGNATURE-----

More information about the selinux mailing list