F13: SELinux is preventing /usr/sbin/smbd "quotaget" access

Miroslav Grepl mgrepl at redhat.com
Tue Oct 5 14:49:59 UTC 2010 

  On 10/01/2010 05:38 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/01/2010 11:32 AM, Daniel B. Thurman wrote:
>>   On 10/01/2010 08:07 AM, Dominick Grift wrote:
>>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
>>>> Below happened 224 times.
>>>>
>>>> How can I fix this?
>>> I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object?
>>>
>> I think this problem might be related to mount&  /etc/fstab:
>>
>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
>> context=system_u:object_r:samba_share_t:s0,defaults  0 0
>>
>> As before I was able to do:
>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g
>> context=system_u:object_r:samba_share_t:s0  0 0
>>
>> Some recent release changed in the mount/fstab command/file
>> such that it would not allow context only definition in the mount
>> options argument in fstab and resulted preventing ntfs filesystems
>> to be mounted at boot time, spewing out "argument required" errors
>> for each ntfs mount attempted from the /etc/fstab file.  Adding
>> ',defaults' to the option along with the context argument worked,
>> except that having the 'defaults' argument also means SELinux
>> will attempt to verify/enforce SELinux context information within
>> the NTFS filesystems (which makes no sense), causing AVC denials,
>> or so I think.
>>
>> This is probably a bug, IMO.
>>
>> I would like to know if anyone has already reported this issue
>> to bugzilla, so that I can remove the ',defaults' entry from
>> fstab for NTFS mounted filesystems.
>>
>>>> ===========================================================================
>>>> Summary:
>>>>
>>>> SELinux is preventing /usr/sbin/smbd "quotaget" access .
>>>>
>>>> Detailed Description:
>>>>
>>>> SELinux denied access requested by smbd. It is not expected that this
>>>> access is
>>>> required by smbd and this access may signal an intrusion attempt. It is also
>>>> possible that the specific version or configuration of the application is
>>>> causing it to require additional access.
>>>>
>>>> Allowing Access:
>>>>
>>>> You can generate a local policy module to allow this access - see FAQ
>>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
>>>> report.
>>>>
>>>> Additional Information:
>>>>
>>>> Source Context                system_u:system_r:smbd_t:s0
>>>> Target Context                system_u:object_r:samba_share_t:s0
>>>> Target Objects                None [ filesystem ]
>>>> Source                        smbd
>>>> Source Path                   /usr/sbin/smbd
>>>> Port<Unknown>
>>>> Host                          (removed)
>>>> Source RPM Packages           samba-3.5.5-68.fc13
>>>> Target RPM Packages
>>>> Policy RPM                    selinux-policy-3.7.19-57.fc13
>>>> Selinux Enabled               True
>>>> Policy Type                   targeted
>>>> Enforcing Mode                Enforcing
>>>> Plugin Name                   catchall
>>>> Host Name                     (removed)
>>>> Platform                      Linux host.domain.com
>>>> 2.6.34.6-54.fc13.i686 #1 SMP
>>>>                                Sun Sep 5 17:52:31 UTC 2010 i686 i686
>>>> Alert Count                   224
>>>> First Seen                    Thu 30 Sep 2010 11:32:04 AM PDT
>>>> Last Seen                     Thu 30 Sep 2010 09:18:41 PM PDT
>>>> Local ID                      01035ab1-2396-4e92-9b1e-09645d976534
>>>> Line Numbers
>>>>
>>>> Raw Audit Messages
>>>>
>>>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
>>>> denied  { quotaget } for  pid=17451 comm="smbd"
>>>> scontext=system_u:system_r:smbd_t:s0
>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem
>>>>
>>>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
>>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
>>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
>>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none)
>>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
>>>> subj=system_u:system_r:smbd_t:s0 key=(null)
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> Yes this is samba checking to see if quota is being enforced on the
> filesystem,  And it should be allowed.
>
>
> Miroslav can you add
>
> allow smbd_t samba_share_t:filesystem { getattr quotaget };
>
> To F13 policy.
Added to selinux-policy-3.7.19-64.fc13.noarch.
> Daniel, for now you can add this rule using audit2allow.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkymAF4ACgkQrlYvE4MpobMH5wCglLYNEZSEVXfm1Bl+f6lAfQIi
> zk4AnRgIsIWBcs96R/ELqyTFwUcfUYVt
> =E2no
> -----END PGP SIGNATURE-----

More information about the selinux mailing list