-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/2010 11:32 AM, Daniel B. Thurman wrote: > On 10/01/2010 08:07 AM, Dominick Grift wrote: >> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote: >>> Below happened 224 times. >>> >>> How can I fix this? >> I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object? >> > I think this problem might be related to mount & /etc/fstab: > > LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g > context=system_u:object_r:samba_share_t:s0,defaults 0 0 > > As before I was able to do: > LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g > context=system_u:object_r:samba_share_t:s0 0 0 > > Some recent release changed in the mount/fstab command/file > such that it would not allow context only definition in the mount > options argument in fstab and resulted preventing ntfs filesystems > to be mounted at boot time, spewing out "argument required" errors > for each ntfs mount attempted from the /etc/fstab file. Adding > ',defaults' to the option along with the context argument worked, > except that having the 'defaults' argument also means SELinux > will attempt to verify/enforce SELinux context information within > the NTFS filesystems (which makes no sense), causing AVC denials, > or so I think. > > This is probably a bug, IMO. > > I would like to know if anyone has already reported this issue > to bugzilla, so that I can remove the ',defaults' entry from > fstab for NTFS mounted filesystems. > >>> =========================================================================== >>> Summary: >>> >>> SELinux is preventing /usr/sbin/smbd "quotaget" access . >>> >>> Detailed Description: >>> >>> SELinux denied access requested by smbd. It is not expected that this >>> access is >>> required by smbd and this access may signal an intrusion attempt. It is also >>> possible that the specific version or configuration of the application is >>> causing it to require additional access. >>> >>> Allowing Access: >>> >>> You can generate a local policy module to allow this access - see FAQ >>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug >>> report. >>> >>> Additional Information: >>> >>> Source Context system_u:system_r:smbd_t:s0 >>> Target Context system_u:object_r:samba_share_t:s0 >>> Target Objects None [ filesystem ] >>> Source smbd >>> Source Path /usr/sbin/smbd >>> Port <Unknown> >>> Host (removed) >>> Source RPM Packages samba-3.5.5-68.fc13 >>> Target RPM Packages >>> Policy RPM selinux-policy-3.7.19-57.fc13 >>> Selinux Enabled True >>> Policy Type targeted >>> Enforcing Mode Enforcing >>> Plugin Name catchall >>> Host Name (removed) >>> Platform Linux host.domain.com >>> 2.6.34.6-54.fc13.i686 #1 SMP >>> Sun Sep 5 17:52:31 UTC 2010 i686 i686 >>> Alert Count 224 >>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT >>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT >>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534 >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: >>> denied { quotaget } for pid=17451 comm="smbd" >>> scontext=system_u:system_r:smbd_t:s0 >>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem >>> >>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): >>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 >>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 >>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) >>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" >>> subj=system_u:system_r:smbd_t:s0 key=(null) >>> >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Yes this is samba checking to see if quota is being enforced on the filesystem, And it should be allowed. Miroslav can you add allow smbd_t samba_share_t:filesystem { getattr quotaget }; To F13 policy. Daniel, for now you can add this rule using audit2allow. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkymAF4ACgkQrlYvE4MpobMH5wCglLYNEZSEVXfm1Bl+f6lAfQIi zk4AnRgIsIWBcs96R/ELqyTFwUcfUYVt =E2no -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
