Re: F13: SELinux is preventing /usr/sbin/smbd "quotaget" access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/01/2010 08:07 AM, Dominick Grift wrote:
On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote:
Below happened 224 times.

How can I fix this?
I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object?

I think this problem might be related to mount & /etc/fstab:

LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g context=system_u:object_r:samba_share_t:s0,defaults  0 0

As before I was able to do:
LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g context=system_u:object_r:samba_share_t:s0  0 0

Some recent release changed in the mount/fstab command/file
such that it would not allow context only definition in the mount
options argument in fstab and resulted preventing ntfs filesystems
to be mounted at boot time, spewing out "argument required" errors
for each ntfs mount attempted from the /etc/fstab file.  Adding
',defaults' to the option along with the context argument worked,
except that having the 'defaults' argument also means SELinux
will attempt to verify/enforce SELinux context information within
the NTFS filesystems (which makes no sense), causing AVC denials,
or so I think.

This is probably a bug, IMO.

I would like to know if anyone has already reported this issue
to bugzilla, so that I can remove the ',defaults' entry from
fstab for NTFS mounted filesystems.

===========================================================================
Summary:

SELinux is preventing /usr/sbin/smbd "quotaget" access .

Detailed Description:

SELinux denied access requested by smbd. It is not expected that this
access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:object_r:samba_share_t:s0
Target Objects                None [ filesystem ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-3.5.5-68.fc13
Target RPM Packages
Policy RPM                    selinux-policy-3.7.19-57.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux host.domain.com
2.6.34.6-54.fc13.i686 #1 SMP
                              Sun Sep 5 17:52:31 UTC 2010 i686 i686
Alert Count                   224
First Seen                    Thu 30 Sep 2010 11:32:04 AM PDT
Last Seen                     Thu 30 Sep 2010 09:18:41 PM PDT
Local ID                      01035ab1-2396-4e92-9b1e-09645d976534
Line Numbers

Raw Audit Messages

node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc:
denied  { quotaget } for  pid=17451 comm="smbd"
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem

node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672):
arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200
a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0
gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none)
ses=4294967295 comm="smbd" exe="/usr/sbin/smbd"
subj=system_u:system_r:smbd_t:s0 key=(null)


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux