Below happened 224 times. How can I fix this?

=========================================================================== Summary: SELinux is preventing /usr/sbin/smbd "quotaget" access . Detailed Description: SELinux denied access requested by smbd. It is not expected that this access is required by smbd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:samba_share_t:s0 Target Objects None [ filesystem ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host (removed) Source RPM Packages samba-3.5.5-68.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-57.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux host.domain.com 2.6.34.6-54.fc13.i686 #1 SMP Sun Sep 5 17:52:31 UTC 2010 i686 i686 Alert Count 224 First Seen Thu 30 Sep 2010 11:32:04 AM PDT Last Seen Thu 30 Sep 2010 09:18:41 PM PDT Local ID 01035ab1-2396-4e92-9b1e-09645d976534 Line Numbers Raw Audit Messages node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: denied { quotaget } for pid=17451 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote: > Below happened 224 times. > > How can I fix this? I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object?

> =========================================================================== > Summary: > > SELinux is preventing /usr/sbin/smbd "quotaget" access . > > Detailed Description: > > SELinux denied access requested by smbd. It is not expected that this > access is > required by smbd and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug > report. > > Additional Information: > > Source Context system_u:system_r:smbd_t:s0 > Target Context system_u:object_r:samba_share_t:s0 > Target Objects None [ filesystem ] > Source smbd > Source Path /usr/sbin/smbd > Port <Unknown> > Host (removed) > Source RPM Packages samba-3.5.5-68.fc13 > Target RPM Packages > Policy RPM selinux-policy-3.7.19-57.fc13 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Plugin Name catchall > Host Name (removed) > Platform Linux host.domain.com > 2.6.34.6-54.fc13.i686 #1 SMP > Sun Sep 5 17:52:31 UTC 2010 i686 i686 > Alert Count 224 > First Seen Thu 30 Sep 2010 11:32:04 AM PDT > Last Seen Thu 30 Sep 2010 09:18:41 PM PDT > Local ID 01035ab1-2396-4e92-9b1e-09645d976534 > Line Numbers > > Raw Audit Messages > > node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: > denied { quotaget } for pid=17451 comm="smbd" > scontext=system_u:system_r:smbd_t:s0 > tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem > > node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): > arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 > a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 > gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) > ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" > subj=system_u:system_r:smbd_t:s0 key=(null) > > > -- > selinux mailing list > selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > -- > selinux mailing list > selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux

On 10/01/2010 11:32 AM, Daniel B. Thurman wrote: > On 10/01/2010 08:07 AM, Dominick Grift wrote: >> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote: >>> Below happened 224 times. >>> >>> How can I fix this? >> I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object? >> > I think this problem might be related to mount & /etc/fstab: > LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g > context=system_u:object_r:samba_share_t:s0,defaults 0 0 > As before I was able to do: > LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g > context=system_u:object_r:samba_share_t:s0 0 0 > Some recent release changed in the mount/fstab command/file > such that it would not allow context only definition in the mount > options argument in fstab and resulted preventing ntfs filesystems > to be mounted at boot time, spewing out "argument required" errors > for each ntfs mount attempted from the /etc/fstab file. Adding > ',defaults' to the option along with the context argument worked, > except that having the 'defaults' argument also means SELinux > will attempt to verify/enforce SELinux context information within > the NTFS filesystems (which makes no sense), causing AVC denials, > or so I think. > This is probably a bug, IMO. > I would like to know if anyone has already reported this issue > to bugzilla, so that I can remove the ',defaults' entry from > fstab for NTFS mounted filesystems. >>> =========================================================================== >>> Summary: >>> >>> SELinux is preventing /usr/sbin/smbd "quotaget" access . >>> >>> Detailed Description: >>> >>> SELinux denied access requested by smbd. It is not expected that this >>> access is >>> required by smbd and this access may signal an intrusion attempt. It is also >>> possible that the specific version or configuration of the application is >>> causing it to require additional access. >>> >>> Allowing Access: >>> >>> You can generate a local policy module to allow this access - see FAQ >>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug >>> report. >>> >>> Additional Information: >>> >>> Source Context system_u:system_r:smbd_t:s0 >>> Target Context system_u:object_r:samba_share_t:s0 >>> Target Objects None [ filesystem ] >>> Source smbd >>> Source Path /usr/sbin/smbd >>> Port <Unknown> >>> Host (removed) >>> Source RPM Packages samba-3.5.5-68.fc13 >>> Target RPM Packages >>> Policy RPM selinux-policy-3.7.19-57.fc13 >>> Selinux Enabled True >>> Policy Type targeted >>> Enforcing Mode Enforcing >>> Plugin Name catchall >>> Host Name (removed) >>> Platform Linux host.domain.com >>> 2.6.34.6-54.fc13.i686 #1 SMP >>> Sun Sep 5 17:52:31 UTC 2010 i686 i686 >>> Alert Count 224 >>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT >>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT >>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534 >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: >>> denied { quotaget } for pid=17451 comm="smbd" >>> scontext=system_u:system_r:smbd_t:s0 >>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem >>> >>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): >>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 >>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 >>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) >>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" >>> subj=system_u:system_r:smbd_t:s0 key=(null) >>> >>> >>> -- >>> selinux mailing list >>> selinux(a)lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >>> -- >>> selinux mailing list >>> selinux(a)lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > -- > selinux mailing list > selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux Yes this is samba checking to see if quota is being enforced on the filesystem, And it should be allowed. Miroslav can you add allow smbd_t samba_share_t:filesystem { getattr quotaget }; To F13 policy. Daniel, for now you can add this rule using audit2allow.

On 10/01/2010 11:41 AM, Daniel B. Thurman wrote: > On 10/01/2010 08:38 AM, Daniel J Walsh wrote: >> On 10/01/2010 11:32 AM, Daniel B. Thurman wrote: >>> On 10/01/2010 08:07 AM, Dominick Grift wrote: >>>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote: >>>>> Below happened 224 times. >>>>> >>>>> How can I fix this? >>>> I do not think samba_share_t is a type usable for filesystems. What >> are you trying to do and did that type end up on a filesystem object? >>>> >>> I think this problem might be related to mount & /etc/fstab: >> >>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g >>> context=system_u:object_r:samba_share_t:s0,defaults 0 0 >> >>> As before I was able to do: >>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g >>> context=system_u:object_r:samba_share_t:s0 0 0 >> >>> Some recent release changed in the mount/fstab command/file >>> such that it would not allow context only definition in the mount >>> options argument in fstab and resulted preventing ntfs filesystems >>> to be mounted at boot time, spewing out "argument required" errors >>> for each ntfs mount attempted from the /etc/fstab file. Adding >>> ',defaults' to the option along with the context argument worked, >>> except that having the 'defaults' argument also means SELinux >>> will attempt to verify/enforce SELinux context information within >>> the NTFS filesystems (which makes no sense), causing AVC denials, >>> or so I think. >> >>> This is probably a bug, IMO. >> >>> I would like to know if anyone has already reported this issue >>> to bugzilla, so that I can remove the ',defaults' entry from >>> fstab for NTFS mounted filesystems. >> >>>>> >> =========================================================================== >>>>> Summary: >>>>> >>>>> SELinux is preventing /usr/sbin/smbd "quotaget" access . >>>>> >>>>> Detailed Description: >>>>> >>>>> SELinux denied access requested by smbd. It is not expected that this >>>>> access is >>>>> required by smbd and this access may signal an intrusion attempt. >> It is also >>>>> possible that the specific version or configuration of the >> application is >>>>> causing it to require additional access. >>>>> >>>>> Allowing Access: >>>>> >>>>> You can generate a local policy module to allow this access - see FAQ >>>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please >> file a bug >>>>> report. >>>>> >>>>> Additional Information: >>>>> >>>>> Source Context system_u:system_r:smbd_t:s0 >>>>> Target Context system_u:object_r:samba_share_t:s0 >>>>> Target Objects None [ filesystem ] >>>>> Source smbd >>>>> Source Path /usr/sbin/smbd >>>>> Port <Unknown> >>>>> Host (removed) >>>>> Source RPM Packages samba-3.5.5-68.fc13 >>>>> Target RPM Packages >>>>> Policy RPM selinux-policy-3.7.19-57.fc13 >>>>> Selinux Enabled True >>>>> Policy Type targeted >>>>> Enforcing Mode Enforcing >>>>> Plugin Name catchall >>>>> Host Name (removed) >>>>> Platform Linux host.domain.com >>>>> 2.6.34.6-54.fc13.i686 #1 SMP >>>>> Sun Sep 5 17:52:31 UTC 2010 i686 i686 >>>>> Alert Count 224 >>>>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT >>>>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT >>>>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534 >>>>> Line Numbers >>>>> >>>>> Raw Audit Messages >>>>> >>>>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: >>>>> denied { quotaget } for pid=17451 comm="smbd" >>>>> scontext=system_u:system_r:smbd_t:s0 >>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem >>>>> >>>>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): >>>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 >>>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 >>>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 >> tty=(none) >>>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" >>>>> subj=system_u:system_r:smbd_t:s0 key=(null) >>>>> >>>>> >>>>> -- >>>>> selinux mailing list >>>>> selinux(a)lists.fedoraproject.org >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >>>>> >>>>> -- >>>>> selinux mailing list >>>>> selinux(a)lists.fedoraproject.org >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> >> >>> -- >>> selinux mailing list >>> selinux(a)lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> Yes this is samba checking to see if quota is being enforced on the >> filesystem, And it should be allowed. >> >> >> Miroslav can you add >> >> allow smbd_t samba_share_t:filesystem { getattr quotaget }; >> >> To F13 policy. >> >> Daniel, for now you can add this rule using audit2allow. >> > I apologize as I have a very short memory, Details please? > Can you give me a link that I can bookmark so that I can > refer to the instructions instead of asking you for instructions > every time? ;) > Thanks! > Dan > -- > selinux mailing list > selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux I am working on a new version of setroubleshoot which will print a message like. sealert -a /tmp/t 100% donefound 1 alerts in /tmp/t - -------------------------------------------------------------------------------- SELinux is preventing smbd from quotaget access on the filesystem port None. Plugin catchall (100% confidence) suggests: If you want to allow smbd to have quotaget access on the port None filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smbd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:samba_share_t:s0 Target Objects port None [ filesystem ] Source smbd Source Path smbd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.36-0.28.rc6.git0.fc15.x86_64 #1 SMP Wed Sep 29 01:47:32 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri Oct 1 00:18:41 2010 Last Seen Fri Oct 1 00:18:41 2010 Local ID e823b86e-f5a3-4b4f-b8fd-021400546def Raw Audit Messages type=AVC msg=audit(1285906721.444:102672): avc: denied { quotaget } for pid=17451 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem node=host.domain.com smbd,smbd_t,samba_share_t,filesystem,quotaget #============= smbd_t ============== allow smbd_t samba_share_t:filesystem quotaget; Needs some work, but you get the idea.