F13: SELinux is preventing /usr/sbin/smbd "quotaget" access

Daniel J Walsh dwalsh at redhat.com
Fri Oct 1 15:46:32 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2010 11:41 AM, Daniel B. Thurman wrote:
>  On 10/01/2010 08:38 AM, Daniel J Walsh wrote:
>> On 10/01/2010 11:32 AM, Daniel B. Thurman wrote:
>>>  On 10/01/2010 08:07 AM, Dominick Grift wrote:
>>>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
>>>>> Below happened 224 times.
>>>>>
>>>>> How can I fix this?
>>>> I do not think samba_share_t is a type usable for filesystems. What
>> are you trying to do and did that type end up on a filesystem object?
>>>>
>>> I think this problem might be related to mount & /etc/fstab:
>>
>>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
>>> context=system_u:object_r:samba_share_t:s0,defaults  0 0
>>
>>> As before I was able to do:
>>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
>>> context=system_u:object_r:samba_share_t:s0  0 0
>>
>>> Some recent release changed in the mount/fstab command/file
>>> such that it would not allow context only definition in the mount
>>> options argument in fstab and resulted preventing ntfs filesystems
>>> to be mounted at boot time, spewing out "argument required" errors
>>> for each ntfs mount attempted from the /etc/fstab file.  Adding
>>> ',defaults' to the option along with the context argument worked,
>>> except that having the 'defaults' argument also means SELinux
>>> will attempt to verify/enforce SELinux context information within
>>> the NTFS filesystems (which makes no sense), causing AVC denials,
>>> or so I think.
>>
>>> This is probably a bug, IMO.
>>
>>> I would like to know if anyone has already reported this issue
>>> to bugzilla, so that I can remove the ',defaults' entry from
>>> fstab for NTFS mounted filesystems.
>>
>>>>>
>> ===========================================================================
>>>>> Summary:
>>>>>
>>>>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
>>>>>
>>>>> Detailed Description:
>>>>>
>>>>> SELinux denied access requested by smbd. It is not expected that this
>>>>> access is
>>>>> required by smbd and this access may signal an intrusion attempt.
>> It is also
>>>>> possible that the specific version or configuration of the
>> application is
>>>>> causing it to require additional access.
>>>>>
>>>>> Allowing Access:
>>>>>
>>>>> You can generate a local policy module to allow this access - see FAQ
>>>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please
>> file a bug
>>>>> report.
>>>>>
>>>>> Additional Information:
>>>>>
>>>>> Source Context                system_u:system_r:smbd_t:s0
>>>>> Target Context                system_u:object_r:samba_share_t:s0
>>>>> Target Objects                None [ filesystem ]
>>>>> Source                        smbd
>>>>> Source Path                   /usr/sbin/smbd
>>>>> Port                          <Unknown>
>>>>> Host                          (removed)
>>>>> Source RPM Packages           samba-3.5.5-68.fc13
>>>>> Target RPM Packages
>>>>> Policy RPM                    selinux-policy-3.7.19-57.fc13
>>>>> Selinux Enabled               True
>>>>> Policy Type                   targeted
>>>>> Enforcing Mode                Enforcing
>>>>> Plugin Name                   catchall
>>>>> Host Name                     (removed)
>>>>> Platform                      Linux host.domain.com
>>>>> 2.6.34.6-54.fc13.i686 #1 SMP
>>>>>                               Sun Sep 5 17:52:31 UTC 2010 i686 i686
>>>>> Alert Count                   224
>>>>> First Seen                    Thu 30 Sep 2010 11:32:04 AM PDT
>>>>> Last Seen                     Thu 30 Sep 2010 09:18:41 PM PDT
>>>>> Local ID                      01035ab1-2396-4e92-9b1e-09645d976534
>>>>> Line Numbers
>>>>>
>>>>> Raw Audit Messages
>>>>>
>>>>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
>>>>> denied  { quotaget } for  pid=17451 comm="smbd"
>>>>> scontext=system_u:system_r:smbd_t:s0
>>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
>>>>>
>>>>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
>>>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
>>>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
>>>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501
>> tty=(none)
>>>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
>>>>> subj=system_u:system_r:smbd_t:s0 key=(null)
>>>>>
>>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> Yes this is samba checking to see if quota is being enforced on the
>> filesystem,  And it should be allowed.
>>
>>
>> Miroslav can you add
>>
>> allow smbd_t samba_share_t:filesystem { getattr quotaget };
>>
>> To F13 policy.
>>
>> Daniel, for now you can add this rule using audit2allow.
>>
> I apologize as I have a very short memory,  Details please?
> 
> Can you give me a link that I can bookmark so that I can
> refer to the instructions instead of asking you for instructions
> every time? ;)
> 
> Thanks!
> Dan
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

I am working on a new version of setroubleshoot which will print a
message like.

 sealert -a /tmp/t
100% donefound 1 alerts in /tmp/t
-
--------------------------------------------------------------------------------

SELinux is preventing smbd from quotaget access on the filesystem port None.

Plugin catchall (100% confidence) suggests:

If you want to allow smbd to have quotaget access on the port None
filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smbd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:samba_share_t:s0
Target Objects                port None [ filesystem ]
Source                        smbd
Source Path                   smbd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.9.5-7.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.36-0.28.rc6.git0.fc15.x86_64 #1 SMP
Wed Sep 29
                              01:47:32 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri Oct  1 00:18:41 2010
Last Seen                     Fri Oct  1 00:18:41 2010
Local ID                      e823b86e-f5a3-4b4f-b8fd-021400546def

Raw Audit Messages
type=AVC msg=audit(1285906721.444:102672): avc:    denied  { quotaget }
for  pid=17451 comm="smbd"    scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
node=host.domain.com

smbd,smbd_t,samba_share_t,filesystem,quotaget

#============= smbd_t ==============
allow smbd_t samba_share_t:filesystem quotaget;

Needs some work, but you get the idea.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkymAlgACgkQrlYvE4MpobMl9wCg0b4ZAZ75rJEd1DHHnrqIKyHU
uvoAnAoq1rFcwjHmZaZRrcxNOqMjpNon
=JLvZ
-----END PGP SIGNATURE-----

More information about the selinux mailing list