-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/01/2010 11:41 AM, Daniel B. Thurman wrote:
On 10/01/2010 08:38 AM, Daniel J Walsh wrote:
> On 10/01/2010 11:32 AM, Daniel B. Thurman wrote:
>> On 10/01/2010 08:07 AM, Dominick Grift wrote:
>>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
>>>> Below happened 224 times.
>>>>
>>>> How can I fix this?
>>> I do not think samba_share_t is a type usable for filesystems. What
> are you trying to do and did that type end up on a filesystem object?
>>>
>> I think this problem might be related to mount & /etc/fstab:
>
>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
>> context=system_u:object_r:samba_share_t:s0,defaults 0 0
>
>> As before I was able to do:
>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
>> context=system_u:object_r:samba_share_t:s0 0 0
>
>> Some recent release changed in the mount/fstab command/file
>> such that it would not allow context only definition in the mount
>> options argument in fstab and resulted preventing ntfs filesystems
>> to be mounted at boot time, spewing out "argument required" errors
>> for each ntfs mount attempted from the /etc/fstab file. Adding
>> ',defaults' to the option along with the context argument worked,
>> except that having the 'defaults' argument also means SELinux
>> will attempt to verify/enforce SELinux context information within
>> the NTFS filesystems (which makes no sense), causing AVC denials,
>> or so I think.
>
>> This is probably a bug, IMO.
>
>> I would like to know if anyone has already reported this issue
>> to bugzilla, so that I can remove the ',defaults' entry from
>> fstab for NTFS mounted filesystems.
>
>>>>
> ===========================================================================
>>>> Summary:
>>>>
>>>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
>>>>
>>>> Detailed Description:
>>>>
>>>> SELinux denied access requested by smbd. It is not expected that this
>>>> access is
>>>> required by smbd and this access may signal an intrusion attempt.
> It is also
>>>> possible that the specific version or configuration of the
> application is
>>>> causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>>
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (
http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please
> file a bug
>>>> report.
>>>>
>>>> Additional Information:
>>>>
>>>> Source Context system_u:system_r:smbd_t:s0
>>>> Target Context system_u:object_r:samba_share_t:s0
>>>> Target Objects None [ filesystem ]
>>>> Source smbd
>>>> Source Path /usr/sbin/smbd
>>>> Port <Unknown>
>>>> Host (removed)
>>>> Source RPM Packages samba-3.5.5-68.fc13
>>>> Target RPM Packages
>>>> Policy RPM selinux-policy-3.7.19-57.fc13
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> Enforcing Mode Enforcing
>>>> Plugin Name catchall
>>>> Host Name (removed)
>>>> Platform Linux
host.domain.com
>>>> 2.6.34.6-54.fc13.i686 #1 SMP
>>>> Sun Sep 5 17:52:31 UTC 2010 i686 i686
>>>> Alert Count 224
>>>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT
>>>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT
>>>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534
>>>> Line Numbers
>>>>
>>>> Raw Audit Messages
>>>>
>>>>
node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
>>>> denied { quotaget } for pid=17451 comm="smbd"
>>>> scontext=system_u:system_r:smbd_t:s0
>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
>>>>
>>>>
node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
>>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
>>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
>>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501
> tty=(none)
>>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
>>>> subj=system_u:system_r:smbd_t:s0 key=(null)
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Yes this is samba checking to see if quota is being enforced on the
> filesystem, And it should be allowed.
>
>
> Miroslav can you add
>
> allow smbd_t samba_share_t:filesystem { getattr quotaget };
>
> To F13 policy.
>
> Daniel, for now you can add this rule using audit2allow.
>
I apologize as I have a very short memory, Details please?
Can you give me a link that I can bookmark so that I can
refer to the instructions instead of asking you for instructions
every time? ;)
Thanks!
Dan
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
I am working on a new version of setroubleshoot which will print a
message like.
sealert -a /tmp/t
100% donefound 1 alerts in /tmp/t
-
--------------------------------------------------------------------------------
SELinux is preventing smbd from quotaget access on the filesystem port None.
Plugin catchall (100% confidence) suggests:
If you want to allow smbd to have quotaget access on the port None
filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:smbd_t:s0
Target Context system_u:object_r:samba_share_t:s0
Target Objects port None [ filesystem ]
Source smbd
Source Path smbd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.5-7.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.36-0.28.rc6.git0.fc15.x86_64 #1 SMP
Wed Sep 29
01:47:32 UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Fri Oct 1 00:18:41 2010
Last Seen Fri Oct 1 00:18:41 2010
Local ID e823b86e-f5a3-4b4f-b8fd-021400546def
Raw Audit Messages
type=AVC msg=audit(1285906721.444:102672): avc: denied { quotaget }
for pid=17451 comm="smbd" scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
smbd,smbd_t,samba_share_t,filesystem,quotaget
#============= smbd_t ==============
allow smbd_t samba_share_t:filesystem quotaget;
Needs some work, but you get the idea.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkymAlgACgkQrlYvE4MpobMl9wCg0b4ZAZ75rJEd1DHHnrqIKyHU
uvoAnAoq1rFcwjHmZaZRrcxNOqMjpNon
=JLvZ
-----END PGP SIGNATURE-----