Re: Setting Samba Boolean. Recommended method?

[Paul Howarth <paul@xxxxxxxxxxxx>]

Richard Chapman wrote:
> I am running SElinux in permissive mode. I want to allow samba access to 
> user home directories.
> At setroubleshooters suggestion (see below) - I did the following at a 
> shell prompt:
>
> Ø       *setsebool -P samba_enable_home_dirs=1
>
>
> *
>
> This seemed to solve the problem. But after a reboot the denials are 
> back. I assume the boolean is not carried across a reboot.
>
> If my assumption is correct - where is the recommended place to put the:
>
> setsebool -P samba_enable_home_dirs=1
>
> command?
> Should I create a local policy module and put it there - or is there 
> some other recommended place? If anyone can point me to a recommended 
> procedure ...
>
> Thanks
>
> Richard.

You've done what you needed to do already - the -P option makes the 
boolean persist across reboots.

> Summary:
>
> SELinux is preventing the samba daemon from reading users' home 
> directories.

This summary is actually slightly misleading in this case.

> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied but 
> was
> permitted due to permissive mode.]
>
> SELinux has denied the samba daemon access to users' home directories. 
> Someone
> is attempting to access your home directories via your samba daemon. If 
> you only
> setup samba to share non-home directories, this probably signals a 
> intrusion
> attempt. For more information on SELinux integration with samba, look at 
> the
> samba_selinux man page. (man samba_selinux)
>
> Allowing Access:
>
> If you want samba to share home directories you need to turn on the
> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
>
> The following command will allow this access:
>
> setsebool -P samba_enable_home_dirs=1
>
> Additional Information:
>
> Source Context                system_u:system_r:smbd_t
> Target Context                user_u:object_r:spamassassin_home_t
> Target Objects                ./.spamassassin [ dir ]
> Source                        smbd
> Source Path                   /usr/sbin/smbd
> Port                          <Unknown>
> Host                          C5.aardvark.com.au
> Source RPM Packages           samba-3.0.28-1.el5_2.1
> Target RPM Packages          Policy RPM                    
> selinux-policy-2.4.6-203.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   samba_enable_home_dirs
> Host Name                     C5.aardvark.com.au
> Platform                      Linux C5.aardvark.com.au 
> 2.6.18-92.1.22.el5 #1 SMP
>                              Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count                   2
> First Seen                    Tue 13 Jan 2009 10:59:19 PM WST
> Last Seen                     Tue 13 Jan 2009 10:59:23 PM WST
> Local ID                      70f6525d-ce9d-40a4-a558-c3db06781ae9
> Line Numbers                
> Raw Audit Messages          
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
> dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
> dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { getattr } for  pid=8841 comm="smbd" 
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
> scontext=system_u:system_r:smbd_t:s0 
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { getattr } for  pid=8841 comm="smbd" 
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
> scontext=system_u:system_r:smbd_t:s0 
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

These denials are all for the ~/.spamassassin directory and its 
contents, not the home directory in general. Browsing the majority of 
the home directory would work just fine in enforcing mode.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list