Re: samba and system users home

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Thu, 13 Aug 2009 18:16:01 -0400

On 08/13/2009 05:47 PM, Vadym Chepkov wrote:
> Yes, they are mount points.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> 
> --- On Thu, 8/13/09, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> 
>> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>> Subject: Re: samba and system users home
>> To: "Paul Howarth" <paul@xxxxxxxxxxxx>
>> Cc: "Vadym Chepkov" <chepkov@xxxxxxxxx>, "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx>
>> Date: Thursday, August 13, 2009, 5:31 PM
>> On 08/13/2009 04:50 PM, Paul Howarth
>> wrote:
>>> On Thu, 13 Aug 2009 13:03:41 -0700 (PDT)
>>> Vadym Chepkov <chepkov@xxxxxxxxx>
>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Each time anybody trying to access a samba share I
>> get a denials like
>>>> this:
>>>>
>>>> type=AVC msg=audit(1250191256.756:26956):
>> avc:  denied  { getattr }
>>>> for  pid=20508 comm="smbd" path="/var/www"
>> dev=dm-5 ino=2
>>>> scontext=system_u:system_r:smbd_t:s0
>>>> tcontext=system_u:object_r:httpd_sys_content_t:s0
>> tclass=dir
>>>>
>>>> type=AVC msg=audit(1250191256.756:26955):
>> avc:  denied  { getattr }
>>>> for  pid=20508 comm="smbd" path="/var/mysql"
>> dev=dm-4 ino=2
>>>> scontext=system_u:system_r:smbd_t:s0
>>>> tcontext=system_u:object_r:mysqld_db_t:s0
>> tclass=dir
>>>>
>>>> I am not sure why samba is trying to access this
>> directories, it's no
>>>> ones home, just a mount point. dovecot generates
>> the same AVCs, but
>>>> only when it starts. What is the best way to
>> suppress these? Thanks.
>>>
>>> I've been getting these for years too! Well, I've had
>> these in local
>>> policy for several releases:
>>>
>>> # Samba needs to be able to access stuff under /srv
>>> allow smbd_t var_t:dir getattr;
>>>
>>> # F11 noise reduction
>>> dontaudit smbd_t lost_found_t:dir { getattr read };
>>> dontaudit smbd_t squid_cache_t:dir getattr;
>>> dontaudit smbd_t mysqld_db_t:dir getattr;
>>>
>>> Paul.
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@xxxxxxxxxx
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Are these mountpoints on your system?
>>
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Samba must be doing a getattr on all the mountpoints on the system.

This is what makes SELinux so much fun...

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list