I am sharing my user home directories to other machines on my LAN using
Samba. I have that all working correctly except for one persistent AVC
that I keep seeing. Now this AVC is correct in that I really do not want
my user's .ssh directories read over SMB so I'd quite like to keep that
as-is. But... I get alerts for this all the time so I'd like to know how
to add a dontaudit rule for it so that access is denied but I don't get
told about it. Ideally I'd like to add a generic rule to catch all
user's not have to add one dontaudit rule per user. Just don't have a
clue where to start and google was not much use on this so would
appreciate some help if anyone has done this before?
SELinux is preventing samba (smbd) "getattr" to /home/$user/.ssh
(sshd_key_t).
Source Context: system_u:system_r:smbd_t
Target Context: user_u:object_r:sshd_key_t
Target Objects: /home/$user/.ssh/config [ file ]
Source: smbd
Source Path: /usr/sbin/smbd
Port: <Unknown>
Host: hostname
Source RPM Packages: samba-3.0.33-3.15.el5_4.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-255.el5_4.4
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: samba_share
Host Name: hostname
Platform: Linux hostname 2.6.32.5 #3 SMP Sun Jan 31 03:27:09 GMT 2010
x86_64 x86_64
Alert Count: 1
First Seen: Tue 23 Feb 2010 12:44:47 AM GMT
Last Seen: Tue 23 Feb 2010 12:44:47 AM GMT
Local ID: 5d933e81-2ab5-4529-8dce-9e554a59f0e3
Line Numbers:
Raw Audit Messages :
host=hostname type=AVC msg=audit(1266885887.400:4313): avc: denied {
getattr } for pid=16382 comm="smbd" path="/home/$user/.ssh/config"
dev=dm-4 ino=10453601 scontext=system_u:system_r:smbd_t:s0
tcontext=user_u:object_r:sshd_key_t:s0 tclass=file
host=hostname type=SYSCALL msg=audit(1266885887.400:4313): arch=c000003e
syscall=4 success=yes exit=0 a0=7fff2dc9f270 a1=7fff2dc9e9a0
a2=7fff2dc9e9a0 a3=7fff2dc9ee70 items=0 ppid=4352 pid=16382
auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0
fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
subj=system_u:system_r:smbd_t:s0 key=(null)
--
Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* 4th Floor, Tower Point,
44 North Road,
Brighton, BN1 1YR, UK
OFFICE +44 (0) 1273 666 350
FAX +44 (0) 1273 666 351
.................................................
www.calypso.com
This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.
* P * /*/ Please consider the environment before printing this e-mail /*/
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
