Thanks Paul. Your observation that the problem is the ~/.spamassassin
directory is very enlightening.
Nonetheless - I imagine that in enforcing mode - I will get lots of
errors - and possibly samba delays - so it probably still needs fixing.
Can y0u suggest why I might have this problem - and how best to fix it?
Richard.
Paul Howarth wrote:
Richard Chapman wrote:
> I am running SElinux in permissive mode. I want to allow samba access
> to user home directories.
> At setroubleshooters suggestion (see below) - I did the following at
> a shell prompt:
>
> Ø *setsebool -P samba_enable_home_dirs=1
>
>
> *
>
> This seemed to solve the problem. But after a reboot the denials are
> back. I assume the boolean is not carried across a reboot.
>
> If my assumption is correct - where is the recommended place to put the:
>
> setsebool -P samba_enable_home_dirs=1
>
> command?
> Should I create a local policy module and put it there - or is there
> some other recommended place? If anyone can point me to a recommended
> procedure ...
>
> Thanks
>
> Richard.
You've done what you needed to do already - the -P option makes the
boolean persist across reboots.
> Summary:
>
> SELinux is preventing the samba daemon from reading users' home
> directories.
This summary is actually slightly misleading in this case.
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied
> but was
> permitted due to permissive mode.]
>
> SELinux has denied the samba daemon access to users' home
> directories. Someone
> is attempting to access your home directories via your samba daemon.
> If you only
> setup samba to share non-home directories, this probably signals a
> intrusion
> attempt. For more information on SELinux integration with samba, look
> at the
> samba_selinux man page. (man samba_selinux)
>
> Allowing Access:
>
> If you want samba to share home directories you need to turn on the
> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
>
> The following command will allow this access:
>
> setsebool -P samba_enable_home_dirs=1
>
> Additional Information:
>
> Source Context system_u:system_r:smbd_t
> Target Context user_u:object_r:spamassassin_home_t
> Target Objects ./.spamassassin [ dir ]
> Source smbd
> Source Path /usr/sbin/smbd
> Port <Unknown>
> Host C5.aardvark.com.au
> Source RPM Packages samba-3.0.28-1.el5_2.1
> Target RPM Packages Policy RPM
> selinux-policy-2.4.6-203.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name samba_enable_home_dirs
> Host Name C5.aardvark.com.au
> Platform Linux C5.aardvark.com.au
> 2.6.18-92.1.22.el5 #1 SMP
> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 2
> First Seen Tue 13 Jan 2009 10:59:19 PM WST
> Last Seen Tue 13 Jan 2009 10:59:23 PM WST
> Local ID 70f6525d-ce9d-40a4-a558-c3db06781ae9
> Line Numbers Raw Audit Messages
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
> avc: denied { search } for pid=8841 comm="smbd"
> name=".spamassassin" dev=dm-0 ino=26155019
> scontext=system_u:system_r:smbd_t:s0
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
> avc: denied { search } for pid=8841 comm="smbd"
> name=".spamassassin" dev=dm-0 ino=26155019
> scontext=system_u:system_r:smbd_t:s0
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
> avc: denied { getattr } for pid=8841 comm="smbd"
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624):
> avc: denied { getattr } for pid=8841 comm="smbd"
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624):
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
These denials are all for the ~/.spamassassin directory and its
contents, not the home directory in general. Browsing the majority of
the home directory would work just fine in enforcing mode.
Paul.