F13: SELinux is preventing /usr/sbin/smbd "quotaget" access

Daniel B. Thurman dant at cdkkt.com
Fri Oct 1 15:41:56 UTC 2010 

 On 10/01/2010 08:38 AM, Daniel J Walsh wrote:
> On 10/01/2010 11:32 AM, Daniel B. Thurman wrote:
> >  On 10/01/2010 08:07 AM, Dominick Grift wrote:
> >> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
> >>> Below happened 224 times.
> >>>
> >>> How can I fix this?
> >> I do not think samba_share_t is a type usable for filesystems. What
> are you trying to do and did that type end up on a filesystem object?
> >>
> > I think this problem might be related to mount & /etc/fstab:
>
> > LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
> > context=system_u:object_r:samba_share_t:s0,defaults  0 0
>
> > As before I was able to do:
> > LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
> > context=system_u:object_r:samba_share_t:s0  0 0
>
> > Some recent release changed in the mount/fstab command/file
> > such that it would not allow context only definition in the mount
> > options argument in fstab and resulted preventing ntfs filesystems
> > to be mounted at boot time, spewing out "argument required" errors
> > for each ntfs mount attempted from the /etc/fstab file.  Adding
> > ',defaults' to the option along with the context argument worked,
> > except that having the 'defaults' argument also means SELinux
> > will attempt to verify/enforce SELinux context information within
> > the NTFS filesystems (which makes no sense), causing AVC denials,
> > or so I think.
>
> > This is probably a bug, IMO.
>
> > I would like to know if anyone has already reported this issue
> > to bugzilla, so that I can remove the ',defaults' entry from
> > fstab for NTFS mounted filesystems.
>
> >>>
> ===========================================================================
> >>> Summary:
> >>>
> >>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
> >>>
> >>> Detailed Description:
> >>>
> >>> SELinux denied access requested by smbd. It is not expected that this
> >>> access is
> >>> required by smbd and this access may signal an intrusion attempt.
> It is also
> >>> possible that the specific version or configuration of the
> application is
> >>> causing it to require additional access.
> >>>
> >>> Allowing Access:
> >>>
> >>> You can generate a local policy module to allow this access - see FAQ
> >>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please
> file a bug
> >>> report.
> >>>
> >>> Additional Information:
> >>>
> >>> Source Context                system_u:system_r:smbd_t:s0
> >>> Target Context                system_u:object_r:samba_share_t:s0
> >>> Target Objects                None [ filesystem ]
> >>> Source                        smbd
> >>> Source Path                   /usr/sbin/smbd
> >>> Port                          <Unknown>
> >>> Host                          (removed)
> >>> Source RPM Packages           samba-3.5.5-68.fc13
> >>> Target RPM Packages
> >>> Policy RPM                    selinux-policy-3.7.19-57.fc13
> >>> Selinux Enabled               True
> >>> Policy Type                   targeted
> >>> Enforcing Mode                Enforcing
> >>> Plugin Name                   catchall
> >>> Host Name                     (removed)
> >>> Platform                      Linux host.domain.com
> >>> 2.6.34.6-54.fc13.i686 #1 SMP
> >>>                               Sun Sep 5 17:52:31 UTC 2010 i686 i686
> >>> Alert Count                   224
> >>> First Seen                    Thu 30 Sep 2010 11:32:04 AM PDT
> >>> Last Seen                     Thu 30 Sep 2010 09:18:41 PM PDT
> >>> Local ID                      01035ab1-2396-4e92-9b1e-09645d976534
> >>> Line Numbers
> >>>
> >>> Raw Audit Messages
> >>>
> >>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
> >>> denied  { quotaget } for  pid=17451 comm="smbd"
> >>> scontext=system_u:system_r:smbd_t:s0
> >>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
> >>>
> >>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
> >>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
> >>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
> >>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501
> tty=(none)
> >>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
> >>> subj=system_u:system_r:smbd_t:s0 key=(null)
> >>>
> >>>
> >>> --
> >>> selinux mailing list
> >>> selinux at lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >>>
> >>> --
> >>> selinux mailing list
> >>> selinux at lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Yes this is samba checking to see if quota is being enforced on the
> filesystem,  And it should be allowed.
>
>
> Miroslav can you add
>
> allow smbd_t samba_share_t:filesystem { getattr quotaget };
>
> To F13 policy.
>
> Daniel, for now you can add this rule using audit2allow.
>
I apologize as I have a very short memory,  Details please?

Can you give me a link that I can bookmark so that I can
refer to the instructions instead of asking you for instructions
every time? ;)

Thanks!
Dan

More information about the selinux mailing list