Dontaudit rule for $HOME/.ssh and samba

Daniel J Walsh dwalsh at redhat.com
Tue Feb 23 18:06:58 UTC 2010 

On 02/22/2010 07:55 PM, Trevor Hemsley wrote:
> I am sharing my user home directories to other machines on my LAN using
> Samba. I have that all working correctly except for one persistent AVC
> that I keep seeing. Now this AVC is correct in that I really do not want
> my user's .ssh directories read over SMB so I'd quite like to keep that
> as-is. But... I get alerts for this all the time so I'd like to know how
> to add a dontaudit rule for it so that access is denied but I don't get
> told about it. Ideally I'd like to add a generic rule to catch all
> user's not have to add one dontaudit rule per user. Just don't have a
> clue where to start and google was not much use on this so would
> appreciate some help if anyone has done this before?
>
> SELinux is preventing samba (smbd) "getattr" to /home/$user/.ssh
> (sshd_key_t).
>
> Source Context:  system_u:system_r:smbd_t
> Target Context:  user_u:object_r:sshd_key_t
> Target Objects:  /home/$user/.ssh/config [ file ]
> Source:  smbd
> Source Path:  /usr/sbin/smbd
> Port:<Unknown>
> Host:  hostname
> Source RPM Packages:  samba-3.0.33-3.15.el5_4.1
> Target RPM Packages:
> Policy RPM:  selinux-policy-2.4.6-255.el5_4.4
> Selinux Enabled:  True
> Policy Type:  targeted
> MLS Enabled:  True
> Enforcing Mode:  Permissive
> Plugin Name:  samba_share
> Host Name:  hostname
> Platform:  Linux hostname 2.6.32.5 #3 SMP Sun Jan 31 03:27:09 GMT 2010
> x86_64 x86_64
> Alert Count:  1
> First Seen:  Tue 23 Feb 2010 12:44:47 AM GMT
> Last Seen:  Tue 23 Feb 2010 12:44:47 AM GMT
> Local ID:  5d933e81-2ab5-4529-8dce-9e554a59f0e3
> Line Numbers:
>
> Raw Audit Messages :
> host=hostname type=AVC msg=audit(1266885887.400:4313): avc: denied {
> getattr } for pid=16382 comm="smbd" path="/home/$user/.ssh/config"
> dev=dm-4 ino=10453601 scontext=system_u:system_r:smbd_t:s0
> tcontext=user_u:object_r:sshd_key_t:s0 tclass=file
>
> host=hostname type=SYSCALL msg=audit(1266885887.400:4313): arch=c000003e
> syscall=4 success=yes exit=0 a0=7fff2dc9f270 a1=7fff2dc9e9a0
> a2=7fff2dc9e9a0 a3=7fff2dc9ee70 items=0 ppid=4352 pid=16382
> auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0
> fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
> subj=system_u:system_r:smbd_t:s0 key=(null)
>
>    


# cat > mysmbd.te << _EOF
policy_module(mysmbd, 1.0)

require {
         type smbd_t;
         type sshd_key_t;
}

dontaudit smbd_t sshd_key_t:file getattr;
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysmbd.pp

More information about the selinux mailing list