Dontaudit rule for $HOME/.ssh and samba
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 23 18:06:58 UTC 2010
On 02/22/2010 07:55 PM, Trevor Hemsley wrote:
> I am sharing my user home directories to other machines on my LAN using
> Samba. I have that all working correctly except for one persistent AVC
> that I keep seeing. Now this AVC is correct in that I really do not want
> my user's .ssh directories read over SMB so I'd quite like to keep that
> as-is. But... I get alerts for this all the time so I'd like to know how
> to add a dontaudit rule for it so that access is denied but I don't get
> told about it. Ideally I'd like to add a generic rule to catch all
> user's not have to add one dontaudit rule per user. Just don't have a
> clue where to start and google was not much use on this so would
> appreciate some help if anyone has done this before?
>
> SELinux is preventing samba (smbd) "getattr" to /home/$user/.ssh
> (sshd_key_t).
>
> Source Context: system_u:system_r:smbd_t
> Target Context: user_u:object_r:sshd_key_t
> Target Objects: /home/$user/.ssh/config [ file ]
> Source: smbd
> Source Path: /usr/sbin/smbd
> Port:<Unknown>
> Host: hostname
> Source RPM Packages: samba-3.0.33-3.15.el5_4.1
> Target RPM Packages:
> Policy RPM: selinux-policy-2.4.6-255.el5_4.4
> Selinux Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Permissive
> Plugin Name: samba_share
> Host Name: hostname
> Platform: Linux hostname 2.6.32.5 #3 SMP Sun Jan 31 03:27:09 GMT 2010
> x86_64 x86_64
> Alert Count: 1
> First Seen: Tue 23 Feb 2010 12:44:47 AM GMT
> Last Seen: Tue 23 Feb 2010 12:44:47 AM GMT
> Local ID: 5d933e81-2ab5-4529-8dce-9e554a59f0e3
> Line Numbers:
>
> Raw Audit Messages :
> host=hostname type=AVC msg=audit(1266885887.400:4313): avc: denied {
> getattr } for pid=16382 comm="smbd" path="/home/$user/.ssh/config"
> dev=dm-4 ino=10453601 scontext=system_u:system_r:smbd_t:s0
> tcontext=user_u:object_r:sshd_key_t:s0 tclass=file
>
> host=hostname type=SYSCALL msg=audit(1266885887.400:4313): arch=c000003e
> syscall=4 success=yes exit=0 a0=7fff2dc9f270 a1=7fff2dc9e9a0
> a2=7fff2dc9e9a0 a3=7fff2dc9ee70 items=0 ppid=4352 pid=16382
> auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0
> fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
> subj=system_u:system_r:smbd_t:s0 key=(null)
>
>
# cat > mysmbd.te << _EOF
policy_module(mysmbd, 1.0)
require {
type smbd_t;
type sshd_key_t;
}
dontaudit smbd_t sshd_key_t:file getattr;
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysmbd.pp
More information about the selinux
mailing list