On Wed, Sep 30, 2009 at 2:17 PM, Tony Molloy
<tony.molloy(a)ul.ie> wrote:
> On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:
>> On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
>>> Hi,
>>>
>>> This is Centos 5.3 fully updated.
>>>
>>> Im getting the following error from setroubleshoot
>>>
>>> SELinux is preventing samba (smbd) "unlink" to
./log.cs244-34.old
>>> (samba_log_t).
>>>
>>> when samba tries to rotate the log files.
>>>
>>> Running sealert I get the following ( edited )
>>>
>>> Summary:
>>>
>>> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
>>> (samba_log_t).
>>>
>>> Detailed Description:
>>>
>>> SELinux denied samba access to ./log.cs244-24.old. If you want to share
>>> this directory with samba it has to have a file context label of
>>> samba_share_t. If ^^^^^^^^^^^^^
>>> you did not intend to use ./log.cs244-24.old as a samba repository it
>>> could indicate either a bug or it could signal a intrusion attempt.
>>>
>>> Allowing Access:
>>>
>>> You can alter the file context by executing chcon -R -t samba_share_t
>>> './log.cs244-24.old' You must also change the default file context
> files
>>> on the
>>> system in order to preserve them even on a full relabel. "semanage
>>> fcontext -a -t samba_share_t './log.cs244-24.old'"
>>>
>>> The following command will allow this access:
>>>
>>> chcon -R -t samba_share_t './log.cs244-24.old'
>>>
>>> Additional Information:
>>>
>>> Source Context root:system_r:smbd_t
>>> Target Context root:object_r:samba_log_t
>>> Target Objects ./log.cs244-24.old [ file ]
>>> Source smbd
>>> Source Path /usr/sbin/smbd
>>> Port <Unknown>
>>> Host janus.x.y.z
>>> Source RPM Packages samba-3.0.33-3.7.el5_3.1
>>> Target RPM Packages
>>> Policy RPM selinux-policy-2.4.6-203.el5
>>> Selinux Enabled True
>>> Policy Type targeted
>>> MLS Enabled True
>>> Enforcing Mode Enforcing
>>> Plugin Name samba_share
>>> Host Name janus.x.y.z
>>> Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1
> SMP
>>> Mon Aug 24 08:21:56 EDT 2009 x86_64
> x86_64
>>> Alert Count 53
>>> First Seen Fri Sep 25 15:54:24 2009
>>> Last Seen Tue Sep 29 15:55:25 2009
>>> Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied
>>> { unlink } for pid=27420 comm="smbd"
name="log.cs244-24.old" dev=sda5
>>> ino=164076 scontext=root:system_r:smbd_t:s0
>>> tcontext=root:object_r:samba_log_t:s0 tclass=file
>>>
>>> host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641):
>>> arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220
>>> a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0
> gid=0
>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675
>>> comm="smbd" exe="/usr/sbin/smbd"
subj=root:system_r:smbd_t:s0
> key=(null)
>>>
>>>
>>> log.cs244-24.old is a file not a directory and it's located in
>>> the /var/log/samba directory with permissions
>>> system_u:object_r:samba_log_t samba
>>>
>>> Any ideas,
>>
>> Looks like a valid bug in selinux-policy to me:
>>
>> echo "avc: denied {
>> unlink } for pid=27420 comm="smbd" name="log.cs244-24.old"
dev=sda5
>> ino=164076 scontext=root:system_r:smbd_t:s0
>> tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M
> mysmbd;
>> /usr/sbin/semodule -i mysmbd.pp
>>
>> Should grant this particular access vector.
>>
>
> Thanks I generated local policy to allow it.
>
> In origin what is the result of this. In my system
sesearch -s smbd_t -c file --allow | grep samba_log_t
allow smbd_t samba_log_t : file { ioctl read write create getattr setattr
lock append unlink link rename };
allow smbd_t samba_log_t : file { ioctl read getattr lock };
allow smbd_t samba_log_t : file { ioctl read write create getattr setattr
lock append unlink link rename };
Because i have no problem and in fact unlink is allowed.
Are you sure to have selinux-policy-targeted installed ?
Regards
> Regards,
>
> Tony
>>> Tony
>>>
>>> --
>>>
>>> Dept. of Comp. Sci.
>>> University of Limerick.
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
> --
>
> Dept. of Comp. Sci.
> University of Limerick.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list