F13: SELinux is preventing /usr/sbin/smbd "quotaget" access
Daniel B. Thurman
dant at cdkkt.com
Fri Oct 1 15:32:17 UTC 2010
On 10/01/2010 08:07 AM, Dominick Grift wrote:
> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
>> Below happened 224 times.
>>
>> How can I fix this?
> I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object?
>
I think this problem might be related to mount & /etc/fstab:
LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
context=system_u:object_r:samba_share_t:s0,defaults 0 0
As before I was able to do:
LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
context=system_u:object_r:samba_share_t:s0 0 0
Some recent release changed in the mount/fstab command/file
such that it would not allow context only definition in the mount
options argument in fstab and resulted preventing ntfs filesystems
to be mounted at boot time, spewing out "argument required" errors
for each ntfs mount attempted from the /etc/fstab file. Adding
',defaults' to the option along with the context argument worked,
except that having the 'defaults' argument also means SELinux
will attempt to verify/enforce SELinux context information within
the NTFS filesystems (which makes no sense), causing AVC denials,
or so I think.
This is probably a bug, IMO.
I would like to know if anyone has already reported this issue
to bugzilla, so that I can remove the ',defaults' entry from
fstab for NTFS mounted filesystems.
>> ===========================================================================
>> Summary:
>>
>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
>>
>> Detailed Description:
>>
>> SELinux denied access requested by smbd. It is not expected that this
>> access is
>> required by smbd and this access may signal an intrusion attempt. It is also
>> possible that the specific version or configuration of the application is
>> causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
>> report.
>>
>> Additional Information:
>>
>> Source Context system_u:system_r:smbd_t:s0
>> Target Context system_u:object_r:samba_share_t:s0
>> Target Objects None [ filesystem ]
>> Source smbd
>> Source Path /usr/sbin/smbd
>> Port <Unknown>
>> Host (removed)
>> Source RPM Packages samba-3.5.5-68.fc13
>> Target RPM Packages
>> Policy RPM selinux-policy-3.7.19-57.fc13
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Enforcing
>> Plugin Name catchall
>> Host Name (removed)
>> Platform Linux host.domain.com
>> 2.6.34.6-54.fc13.i686 #1 SMP
>> Sun Sep 5 17:52:31 UTC 2010 i686 i686
>> Alert Count 224
>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT
>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT
>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
>> denied { quotaget } for pid=17451 comm="smbd"
>> scontext=system_u:system_r:smbd_t:s0
>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
>>
>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none)
>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
>> subj=system_u:system_r:smbd_t:s0 key=(null)
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20101001/0db02851/attachment.html
More information about the selinux
mailing list