On 10/01/2010 11:41 AM, Daniel B. Thurman wrote:
> On 10/01/2010 08:38 AM, Daniel J Walsh wrote:
>> On 10/01/2010 11:32 AM, Daniel B. Thurman wrote:
>>> On 10/01/2010 08:07 AM, Dominick Grift wrote:
>>>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
>>>>> Below happened 224 times.
>>>>>
>>>>> How can I fix this?
>>>> I do not think samba_share_t is a type usable for filesystems. What
>> are you trying to do and did that type end up on a filesystem object?
>>>>
>>> I think this problem might be related to mount & /etc/fstab:
>>
>>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
>>> context=system_u:object_r:samba_share_t:s0,defaults 0 0
>>
>>> As before I was able to do:
>>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
>>> context=system_u:object_r:samba_share_t:s0 0 0
>>
>>> Some recent release changed in the mount/fstab command/file
>>> such that it would not allow context only definition in the mount
>>> options argument in fstab and resulted preventing ntfs filesystems
>>> to be mounted at boot time, spewing out "argument required"
errors
>>> for each ntfs mount attempted from the /etc/fstab file. Adding
>>> ',defaults' to the option along with the context argument worked,
>>> except that having the 'defaults' argument also means SELinux
>>> will attempt to verify/enforce SELinux context information within
>>> the NTFS filesystems (which makes no sense), causing AVC denials,
>>> or so I think.
>>
>>> This is probably a bug, IMO.
>>
>>> I would like to know if anyone has already reported this issue
>>> to bugzilla, so that I can remove the ',defaults' entry from
>>> fstab for NTFS mounted filesystems.
>>
>>>>>
>>
===========================================================================
>>>>> Summary:
>>>>>
>>>>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
>>>>>
>>>>> Detailed Description:
>>>>>
>>>>> SELinux denied access requested by smbd. It is not expected that
this
>>>>> access is
>>>>> required by smbd and this access may signal an intrusion attempt.
>> It is also
>>>>> possible that the specific version or configuration of the
>> application is
>>>>> causing it to require additional access.
>>>>>
>>>>> Allowing Access:
>>>>>
>>>>> You can generate a local policy module to allow this access -
see FAQ
>>>>> (
http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please
>> file a bug
>>>>> report.
>>>>>
>>>>> Additional Information:
>>>>>
>>>>> Source Context system_u:system_r:smbd_t:s0
>>>>> Target Context system_u:object_r:samba_share_t:s0
>>>>> Target Objects None [ filesystem ]
>>>>> Source smbd
>>>>> Source Path /usr/sbin/smbd
>>>>> Port <Unknown>
>>>>> Host (removed)
>>>>> Source RPM Packages samba-3.5.5-68.fc13
>>>>> Target RPM Packages
>>>>> Policy RPM selinux-policy-3.7.19-57.fc13
>>>>> Selinux Enabled True
>>>>> Policy Type targeted
>>>>> Enforcing Mode Enforcing
>>>>> Plugin Name catchall
>>>>> Host Name (removed)
>>>>> Platform Linux
host.domain.com
>>>>> 2.6.34.6-54.fc13.i686 #1 SMP
>>>>> Sun Sep 5 17:52:31 UTC 2010 i686 i686
>>>>> Alert Count 224
>>>>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT
>>>>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT
>>>>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534
>>>>> Line Numbers
>>>>>
>>>>> Raw Audit Messages
>>>>>
>>>>>
node=host.domain.com type=AVC msg=audit(1285906721.444:102672):
avc:
>>>>> denied { quotaget } for pid=17451 comm="smbd"
>>>>> scontext=system_u:system_r:smbd_t:s0
>>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
>>>>>
>>>>>
node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
>>>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701
a1=1282200
>>>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295
uid=0
>>>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501
>> tty=(none)
>>>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
>>>>> subj=system_u:system_r:smbd_t:s0 key=(null)
>>>>>
>>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux(a)lists.fedoraproject.org
>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux(a)lists.fedoraproject.org
>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>>
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> Yes this is samba checking to see if quota is being enforced on the
>> filesystem, And it should be allowed.
>>
>>
>> Miroslav can you add
>>
>> allow smbd_t samba_share_t:filesystem { getattr quotaget };
>>
>> To F13 policy.
>>
>> Daniel, for now you can add this rule using audit2allow.
>>
> I apologize as I have a very short memory, Details please?
> Can you give me a link that I can bookmark so that I can
> refer to the instructions instead of asking you for instructions
> every time? ;)
> Thanks!
> Dan
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
I am working on a new version of setroubleshoot which will print a
message like.
sealert -a /tmp/t
100% donefound 1 alerts in /tmp/t
-
--------------------------------------------------------------------------------
SELinux is preventing smbd from quotaget access on the filesystem port
None.
Plugin catchall (100% confidence) suggests:
If you want to allow smbd to have quotaget access on the port None
filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:smbd_t:s0
Target Context system_u:object_r:samba_share_t:s0
Target Objects port None [ filesystem ]
Source smbd
Source Path smbd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.5-7.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.36-0.28.rc6.git0.fc15.x86_64 #1 SMP
Wed Sep 29
01:47:32 UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Fri Oct 1 00:18:41 2010
Last Seen Fri Oct 1 00:18:41 2010
Local ID e823b86e-f5a3-4b4f-b8fd-021400546def
Raw Audit Messages
type=AVC msg=audit(1285906721.444:102672): avc: denied { quotaget }
for pid=17451 comm="smbd" scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
node=host.domain.com
smbd,smbd_t,samba_share_t,filesystem,quotaget
#============= smbd_t ==============
allow smbd_t samba_share_t:filesystem quotaget;
Needs some work, but you get the idea.
Whoa!
I discovered that I can now remove the ',defaults' entry from the
NTFS mount filesystems in /etc/fstab! Seems this has been fixed
somewhere in the recent updates!
I have tested this out and it works, so no more option 'Argument required'
error reports at boot time, and it does not seem to need a ',defaults'
entry
in the options line and it works using /bin/mount command!
But I tested this AFTER I did the smbd policy steps as given above,
so I hope this change is not related and is independent. Well, whatever,
it works, so I am happy.