On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:
On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
> Hi,
>
> This is Centos 5.3 fully updated.
>
> Im getting the following error from setroubleshoot
>
> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
> (samba_log_t).
>
> when samba tries to rotate the log files.
>
> Running sealert I get the following ( edited )
>
> Summary:
>
> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
> (samba_log_t).
>
> Detailed Description:
>
> SELinux denied samba access to ./log.cs244-24.old. If you want to share
> this directory with samba it has to have a file context label of
> samba_share_t. If ^^^^^^^^^^^^^
> you did not intend to use ./log.cs244-24.old as a samba repository it
> could indicate either a bug or it could signal a intrusion attempt.
>
> Allowing Access:
>
> You can alter the file context by executing chcon -R -t samba_share_t
> './log.cs244-24.old' You must also change the default file context files
> on the
> system in order to preserve them even on a full relabel. "semanage
> fcontext -a -t samba_share_t './log.cs244-24.old'"
>
> The following command will allow this access:
>
> chcon -R -t samba_share_t './log.cs244-24.old'
>
> Additional Information:
>
> Source Context root:system_r:smbd_t
> Target Context root:object_r:samba_log_t
> Target Objects ./log.cs244-24.old [ file ]
> Source smbd
> Source Path /usr/sbin/smbd
> Port <Unknown>
> Host janus.x.y.z
> Source RPM Packages samba-3.0.33-3.7.el5_3.1
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-203.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name samba_share
> Host Name janus.x.y.z
> Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP
> Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64
> Alert Count 53
> First Seen Fri Sep 25 15:54:24 2009
> Last Seen Tue Sep 29 15:55:25 2009
> Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63
> Line Numbers
>
> Raw Audit Messages
>
> host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied
> { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old"
dev=sda5
> ino=164076 scontext=root:system_r:smbd_t:s0
> tcontext=root:object_r:samba_log_t:s0 tclass=file
>
> host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641):
> arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220
> a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675
> comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
key=(null)
>
>
> log.cs244-24.old is a file not a directory and it's located in
> the /var/log/samba directory with permissions
> system_u:object_r:samba_log_t samba
>
> Any ideas,
Looks like a valid bug in selinux-policy to me:
echo "avc: denied {
unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
ino=164076 scontext=root:system_r:smbd_t:s0
tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M mysmbd;
/usr/sbin/semodule -i mysmbd.pp
Should grant this particular access vector.
Thanks I generated local policy to allow it.
Regards,
Tony
> Tony
>
> --
>
> Dept. of Comp. Sci.
> University of Limerick.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Dept. of Comp. Sci.
University of Limerick.