samba nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On CentOS 5.2
The server is answering on different netbios names.
 SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)
in smb.conf the include files is in 2 halves. One for global config and one for shares/aliases
I have include = /etc/samba/smb.%L.alias to get differnt shares/alias depending netbios name
the alias contains
[name]
...
[name2]
...

I link asen20 to ASEN20 to allow netbios name
# ls -Z /etc/samba/smb*
-r--r--r--  root root root:object_r:samba_etc_t        /etc/samba/smb.asen20.alias
lrwxrwxrwx  root root root:object_r:samba_etc_t        /etc/samba/smb.ASEN20.alias -> smb.asen20.alias

/var/log/message
Feb 22 11:18:29 dox nmbd[4689]: become_domain_master_browser_bcast: querying subnet 192.168.1.6 for domain master browser on workgroup OASEN Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote clients. For complete SELinux messages. run sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
Feb 22 11:18:31 dox last message repeated 2 times
Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t). For complete SELinux messages. run sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb

setting setsebool -P samba_export_all_ro=1 as advised in sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
does not help

# sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76

Summary:

SELinux is preventing the samba daemon from serving r/o local files to remote
clients.

Detailed Description:

SELinux has preventing the samba daemon (smbd) from reading files on the local
system. If you have not exported these file systems, this could signals an
intrusion.

Allowing Access:

If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".

The following command will allow this access:

setsebool -P samba_export_all_ro=1

Additional Information:

Source Context                root:system_r:smbd_t
Target Context                root:object_r:samba_etc_t
Target Objects                smb.ASEN20.alias [ lnk_file ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          dox.oasen.dyndns.org
Source RPM Packages           samba-3.0.28-1.el5_2.1
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   samba_export_all_ro
Host Name                     dox.oasen.dyndns.org
Platform                      Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
                              SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count                   6
First Seen                    Sun Feb 22 11:01:48 2009
Last Seen                     Sun Feb 22 11:18:29 2009
Local ID                      55450fa9-b52d-4224-ad52-58b0b9fc4b76
Line Numbers

Raw Audit Messages

host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.562:32001): avc: denied { read } for pid=4685 comm="smbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_etc_t:s0 tclass=lnk_file

host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.562:32001): arch=c000003e syscall=4 success=no exit=-13 a0=7fffa6dcac10 a1=7fffa6dcab60 a2=7fffa6dcab60 a3=2b560ee731f0 items=0 ppid=4684 pid=4685 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)


# sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb

Summary:

SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t).

Detailed Description:

SELinux denied access requested by nmbd. It is not expected that this access is
required by nmbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for smb.ASEN20.alias,

restorecon -v 'smb.ASEN20.alias'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:nmbd_t
Target Context                root:object_r:samba_etc_t
Target Objects                smb.ASEN20.alias [ lnk_file ]
Source                        nmbd
Source Path                   /usr/sbin/nmbd
Port                          <Unknown>
Host                          dox.oasen.dyndns.org
Source RPM Packages           samba-3.0.28-1.el5_2.1
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     dox.oasen.dyndns.org
Platform                      Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
                              SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count                   6
First Seen                    Sun Feb 22 11:01:48 2009
Last Seen                     Sun Feb 22 11:18:29 2009
Local ID                      350c8d95-e127-4a23-b2a1-455771106aeb
Line Numbers

Raw Audit Messages

host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.628:32004): avc: denied { read } for pid=4688 comm="nmbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:nmbd_t:s0 tcontext=root:object_r:samba_etc_t:s0 tclass=lnk_file

host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.628:32004): arch=c000003e syscall=4 success=no exit=-13 a0=7fffca8af300 a1=7fffca8af250 a2=7fffca8af250 a3=0 items=0 ppid=4687 pid=4688 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)








--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux