F13: SELinux is preventing /usr/sbin/smbd "quotaget" access

Daniel J Walsh dwalsh at redhat.com
Fri Oct 1 15:18:40 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2010 11:07 AM, Dominick Grift wrote:
> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
>>
>> Below happened 224 times.
>>
>> How can I fix this?
> 
> I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object?
> 
>>
>> ===========================================================================
>> Summary:
>>
>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
>>
>> Detailed Description:
>>
>> SELinux denied access requested by smbd. It is not expected that this
>> access is
>> required by smbd and this access may signal an intrusion attempt. It is also
>> possible that the specific version or configuration of the application is
>> causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
>> report.
>>
>> Additional Information:
>>
>> Source Context                system_u:system_r:smbd_t:s0
>> Target Context                system_u:object_r:samba_share_t:s0
>> Target Objects                None [ filesystem ]
>> Source                        smbd
>> Source Path                   /usr/sbin/smbd
>> Port                          <Unknown>
>> Host                          (removed)
>> Source RPM Packages           samba-3.5.5-68.fc13
>> Target RPM Packages
>> Policy RPM                    selinux-policy-3.7.19-57.fc13
>> Selinux Enabled               True
>> Policy Type                   targeted
>> Enforcing Mode                Enforcing
>> Plugin Name                   catchall
>> Host Name                     (removed)
>> Platform                      Linux host.domain.com
>> 2.6.34.6-54.fc13.i686 #1 SMP
>>                               Sun Sep 5 17:52:31 UTC 2010 i686 i686
>> Alert Count                   224
>> First Seen                    Thu 30 Sep 2010 11:32:04 AM PDT
>> Last Seen                     Thu 30 Sep 2010 09:18:41 PM PDT
>> Local ID                      01035ab1-2396-4e92-9b1e-09645d976534
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
>> denied  { quotaget } for  pid=17451 comm="smbd"
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
>>
>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none)
>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
>> subj=system_u:system_r:smbd_t:s0 key=(null)
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
I think he used a mount -o, context=...samba_share_t

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyl+9AACgkQrlYvE4MpobM3hACfUoU/yMdpb9zHonJaBq4QCdr0
05QAoL0XzlUCI482LIWpAXJJnziMe1hC
=acNi
-----END PGP SIGNATURE-----

More information about the selinux mailing list