-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/01/2010 11:32 AM, Daniel B. Thurman wrote:
> On 10/01/2010 08:07 AM, Dominick Grift wrote:
>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
>>> Below happened 224 times.
>>>
>>> How can I fix this?
>> I do not think samba_share_t is a type usable for filesystems. What are you
trying to do and did that type end up on a filesystem object?
>>
> I think this problem might be related to mount& /etc/fstab:
>
> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
> context=system_u:object_r:samba_share_t:s0,defaults 0 0
>
> As before I was able to do:
> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
> context=system_u:object_r:samba_share_t:s0 0 0
>
> Some recent release changed in the mount/fstab command/file
> such that it would not allow context only definition in the mount
> options argument in fstab and resulted preventing ntfs filesystems
> to be mounted at boot time, spewing out "argument required" errors
> for each ntfs mount attempted from the /etc/fstab file. Adding
> ',defaults' to the option along with the context argument worked,
> except that having the 'defaults' argument also means SELinux
> will attempt to verify/enforce SELinux context information within
> the NTFS filesystems (which makes no sense), causing AVC denials,
> or so I think.
>
> This is probably a bug, IMO.
>
> I would like to know if anyone has already reported this issue
> to bugzilla, so that I can remove the ',defaults' entry from
> fstab for NTFS mounted filesystems.
>
>>> ===========================================================================
>>> Summary:
>>>
>>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by smbd. It is not expected that this
>>> access is
>>> required by smbd and this access may signal an intrusion attempt. It is also
>>> possible that the specific version or configuration of the application is
>>> causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (
http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
>>> report.
>>>
>>> Additional Information:
>>>
>>> Source Context system_u:system_r:smbd_t:s0
>>> Target Context system_u:object_r:samba_share_t:s0
>>> Target Objects None [ filesystem ]
>>> Source smbd
>>> Source Path /usr/sbin/smbd
>>> Port<Unknown>
>>> Host (removed)
>>> Source RPM Packages samba-3.5.5-68.fc13
>>> Target RPM Packages
>>> Policy RPM selinux-policy-3.7.19-57.fc13
>>> Selinux Enabled True
>>> Policy Type targeted
>>> Enforcing Mode Enforcing
>>> Plugin Name catchall
>>> Host Name (removed)
>>> Platform Linux
host.domain.com
>>> 2.6.34.6-54.fc13.i686 #1 SMP
>>> Sun Sep 5 17:52:31 UTC 2010 i686 i686
>>> Alert Count 224
>>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT
>>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT
>>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>>
node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
>>> denied { quotaget } for pid=17451 comm="smbd"
>>> scontext=system_u:system_r:smbd_t:s0
>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
>>>
>>>
node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none)
>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
>>> subj=system_u:system_r:smbd_t:s0 key=(null)
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes this is samba checking to see if quota is being enforced on the
filesystem, And it should be allowed.
Miroslav can you add
allow smbd_t samba_share_t:filesystem { getattr quotaget };
To F13 policy.
Added to selinux-policy-3.7.19-64.fc13.noarch.
Daniel, for now you can add this rule using audit2allow.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkymAF4ACgkQrlYvE4MpobMH5wCglLYNEZSEVXfm1Bl+f6lAfQIi
zk4AnRgIsIWBcs96R/ELqyTFwUcfUYVt
=E2no
-----END PGP SIGNATURE-----