Re: samba nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)

Dominick Grift <domg472@xxxxxxxxx> · Sun, 22 Feb 2009 12:29:40 +0100



On Sun, 2009-02-22 at 11:38 +0100, Per Sjoholm wrote:
> On CentOS 5.2
> The server is answering on different netbios names.
>   SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)
> in smb.conf the include files is in 2 halves. One for global config and one for shares/aliases
> I have include = /etc/samba/smb.%L.alias to get differnt shares/alias depending netbios name
> the alias contains
> [name]
> ...
> [name2]
> ...
> 
> I link asen20 to ASEN20 to allow netbios name
> # ls -Z /etc/samba/smb*
> -r--r--r--  root root root:object_r:samba_etc_t        /etc/samba/smb.asen20.alias
> lrwxrwxrwx  root root root:object_r:samba_etc_t        /etc/samba/smb.ASEN20.alias -> smb.asen20.alias
> 
> /var/log/message
> Feb 22 11:18:29 dox nmbd[4689]:   become_domain_master_browser_bcast: querying subnet 192.168.1.6 for domain master 
> browser on workgroup OASEN
> Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote 
> clients. For complete SELinux messages. run sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> Feb 22 11:18:31 dox last message repeated 2 times
> Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t). For 
> complete SELinux messages. run sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
> 
> setting setsebool -P samba_export_all_ro=1 as advised in sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> does not help
> 
> # sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> 
> Summary:
> 
> SELinux is preventing the samba daemon from serving r/o local files to remote
> clients.
> 
> Detailed Description:
> 
> SELinux has preventing the samba daemon (smbd) from reading files on the local
> system. If you have not exported these file systems, this could signals an
> intrusion.
> 
> Allowing Access:
> 
> If you want to export file systems using samba you need to turn on the
> samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
> 
> The following command will allow this access:
> 
> setsebool -P samba_export_all_ro=1
> 
> Additional Information:
> 
> Source Context                root:system_r:smbd_t
> Target Context                root:object_r:samba_etc_t
> Target Objects                smb.ASEN20.alias [ lnk_file ]
> Source                        smbd
> Source Path                   /usr/sbin/smbd
> Port                          <Unknown>
> Host                          dox.oasen.dyndns.org
> Source RPM Packages           samba-3.0.28-1.el5_2.1
> Target RPM Packages
> Policy RPM                    selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   samba_export_all_ro
> Host Name                     dox.oasen.dyndns.org
> Platform                      Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
>                                SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count                   6
> First Seen                    Sun Feb 22 11:01:48 2009
> Last Seen                     Sun Feb 22 11:18:29 2009
> Local ID                      55450fa9-b52d-4224-ad52-58b0b9fc4b76
> Line Numbers
> 
> Raw Audit Messages
> 
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.562:32001): avc:  denied  { read } for  pid=4685 comm="smbd" 
> name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_etc_t:s0 
> tclass=lnk_file
try this:

echo "type=AVC msg=audit(1235297909.562:32001): avc:  denied  { read }
for  pid=4685 comm="smbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782
scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_etc_t:s0
tclass=lnk_file" | audit2allow -M mysmbd; sudo /usr/sbin/semodule -i
mysmbd.pp

> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.562:32001): arch=c000003e syscall=4 success=no exit=-13 
> a0=7fffa6dcac10 a1=7fffa6dcab60 a2=7fffa6dcab60 a3=2b560ee731f0 items=0 ppid=4684 pid=4685 auid=0 uid=0 gid=0 euid=0 
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 
> key=(null)
> 
> 
> # sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
> 
> Summary:
> 
> SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by nmbd. It is not expected that this access is
> required by nmbd and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for smb.ASEN20.alias,
> 
> restorecon -v 'smb.ASEN20.alias'
> 
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                root:system_r:nmbd_t
> Target Context                root:object_r:samba_etc_t
> Target Objects                smb.ASEN20.alias [ lnk_file ]
> Source                        nmbd
> Source Path                   /usr/sbin/nmbd
> Port                          <Unknown>
> Host                          dox.oasen.dyndns.org
> Source RPM Packages           samba-3.0.28-1.el5_2.1
> Target RPM Packages
> Policy RPM                    selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     dox.oasen.dyndns.org
> Platform                      Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
>                                SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count                   6
> First Seen                    Sun Feb 22 11:01:48 2009
> Last Seen                     Sun Feb 22 11:18:29 2009
> Local ID                      350c8d95-e127-4a23-b2a1-455771106aeb
> Line Numbers
> 
> Raw Audit Messages
> 
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.628:32004): avc:  denied  { read } for  pid=4688 comm="nmbd" 
> name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:nmbd_t:s0 tcontext=root:object_r:samba_etc_t:s0 
> tclass=lnk_file
And this:

echo "type=AVC msg=audit(1235297909.628:32004): avc:  denied  { read }
for  pid=4688 comm="nmbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782
scontext=root:system_r:nmbd_t:s0 tcontext=root:object_r:samba_etc_t:s0
tclass=lnk_file" | audit2allow -M mynmbd; sudo /usr/sbin/semodule -i
mynmbd.pp

(mind the line breaks)

> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.628:32004): arch=c000003e syscall=4 success=no exit=-13 
> a0=7fffca8af300 a1=7fffca8af250 a2=7fffca8af250 a3=0 items=0 ppid=4687 pid=4688 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)
> 
> 
> 
> 
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list