Re: Samba log files have wrong context?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Bob Kashani wrote:

SELinux keeps complaining that the file contexts for log files
in /var/log/samba are wrong. All of the files are labeled samba_log_t
but it seems to want samba_share_t, is this correct?

This is what selinux troubleshooter reports:

Summary
    SELinux is preventing samba (/usr/sbin/smbd) "append" to log.chaucer
    (samba_log_t).

Detailed Description
    SELinux denied samba access to log.chaucer. If you want to share
this
    directory with samba it has to have a file context label of
samba_share_t.
    If you did not intend to use log.chaucer as a samba repository it
could
    indicate either a bug or it could signal a intrusion attempt.

Allowing Access
    You can alter the file context by executing chcon -R -t
samba_share_t
    log.chaucer

    The following command will allow this access:
    chcon -R -t samba_share_t log.chaucer
Additional Information 
Source Context                system_u:system_r:smbd_t
Target Context                system_u:object_r:samba_log_t
Target Objects                log.chaucer [ file ]
Affected RPM Packages         samba-3.0.25-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.samba_share
Host Name                     chaucer
Platform                      Linux chaucer 2.6.21-1.3194.fc7 #1 SMP Wed
May 23
                              22:35:01 EDT 2007 i686 athlon
Alert Count                   3
First Seen                    Sun 03 Jun 2007 04:50:41 PM PDT
Last Seen                     Sun 03 Jun 2007 04:50:41 PM PDT
Local ID                      ef44bd9c-87aa-4898-9c3d-bb0a3def2ade
Line Numbers Raw Audit Messages 
avc: denied { append } for comm="smbd" dev=sda2 egid=0 euid=0
exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="log.chaucer"
pid=2945 scontext=system_u:system_r:smbd_t:s0 sgid=0
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


No this is broken policy.  It will be fixed in selinux-policy-2.6.4-13.fc7

You can use

grep samba_log_t /var/log/audit/audit.log | audit2allow -M mysamba
semodule -i mysamba.pp

To allow this on your machine.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux