This denial is preventing access to a filesystem I have shared via
samba. Whenever a system connects to the samba share the denial
occurs several times, and the share is empty when viewed from the
client. My home dir can be shared fine through samba but not
/media/archive (see below).
Filesystem is mounted by:
LABEL=archive /media/archive vfat auto,rw,async,users,group,nosuid,noexec,shortname=lower,fmask=0013,dmask=0002,gid=555
0 0
ls -alFshnZ
drwxrwxr-x 0 555 system_u:object_r:dosfs_t:s0
archive/
I have already setsebool -P samba_export_all_ro=1 and verified it is
set in system-config-selinux. It seems not to have any effect here.
I set (true):
samba_export_all_ro, samba_export_all_rw, samba_export_fusefs
I set (false:
samba_enable_home_dirs, use_samba_home_dirs, samba_run_unconfined
With those settings... my home dir is shared and accessible via samba,
but the ro share is not. What is going on here?
SELinux is preventing the samba daemon from serving r/o local files to remote
clients.
Detailed Description:
SELinux has preventing the samba daemon (smbd) from reading files on the local
system. If you have not exported these file systems, this could signals an
intrusion.
Allowing Access:
If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
Fix Command:
setsebool -P samba_export_all_ro=1
Additional Information:
Source Context unconfined_u:system_r:smbd_t:s0
Target Context system_u:object_r:dosfs_t:s0
Target Objects / [ dir ]
Source smbd
Source Path /usr/sbin/smbd
Port <Unknown>
Host cirithungol
Source RPM Packages samba-3.2.0-1.pre2.8.fc9
Target RPM Packages filesystem-2.4.12-1.fc9
Policy RPM selinux-policy-3.3.1-26.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name samba_export_all_ro
Host Name cirithungol
Platform Linux cirithungol 2.6.25-0.172.rc7.git4.fc9.i686
#1 SMP Fri Mar 28 21:46:59 EDT 2008 i686 i686
Alert Count 40
First Seen Mon 31 Mar 2008 11:18:08 PM PDT
Last Seen Tue 01 Apr 2008 02:30:29 PM PDT
Local ID 431fbfb7-e677-45d9-98b9-0a23ea0ab572
Line Numbers
Raw Audit Messages
host=cirithungol type=AVC msg=audit(1207085429.4:3307): avc: denied
{ read } for pid=10886 comm="smbd" name="/" dev=sdc3 ino=1
scontext=unconfined_u:system_r:smbd_t:s0
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
host=cirithungol type=SYSCALL msg=audit(1207085429.4:3307):
arch=40000003 syscall=5 success=no exit=-13 a0=b9157d60 a1=98800 a2=2f
a3=b9157d10 items=0 ppid=6064 pid=10886 auid=500 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=1
comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0
key=(null)
--
Andrew Farris <lordmorgul(a)gmail.com>
www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer