On 10/01/2010 08:38 AM, Daniel J Walsh wrote: > On 10/01/2010 11:32 AM, Daniel B. Thurman wrote: > > On 10/01/2010 08:07 AM, Dominick Grift wrote: > >> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote: > >>> Below happened 224 times. > >>> > >>> How can I fix this? > >> I do not think samba_share_t is a type usable for filesystems. What > are you trying to do and did that type end up on a filesystem object? > >> > > I think this problem might be related to mount & /etc/fstab: > > > LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g > > context=system_u:object_r:samba_share_t:s0,defaults 0 0 > > > As before I was able to do: > > LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g > > context=system_u:object_r:samba_share_t:s0 0 0 > > > Some recent release changed in the mount/fstab command/file > > such that it would not allow context only definition in the mount > > options argument in fstab and resulted preventing ntfs filesystems > > to be mounted at boot time, spewing out "argument required" errors > > for each ntfs mount attempted from the /etc/fstab file. Adding > > ',defaults' to the option along with the context argument worked, > > except that having the 'defaults' argument also means SELinux > > will attempt to verify/enforce SELinux context information within > > the NTFS filesystems (which makes no sense), causing AVC denials, > > or so I think. > > > This is probably a bug, IMO. > > > I would like to know if anyone has already reported this issue > > to bugzilla, so that I can remove the ',defaults' entry from > > fstab for NTFS mounted filesystems. > > >>> > =========================================================================== > >>> Summary: > >>> > >>> SELinux is preventing /usr/sbin/smbd "quotaget" access . > >>> > >>> Detailed Description: > >>> > >>> SELinux denied access requested by smbd. It is not expected that this > >>> access is > >>> required by smbd and this access may signal an intrusion attempt. > It is also > >>> possible that the specific version or configuration of the > application is > >>> causing it to require additional access. > >>> > >>> Allowing Access: > >>> > >>> You can generate a local policy module to allow this access - see FAQ > >>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please > file a bug > >>> report. > >>> > >>> Additional Information: > >>> > >>> Source Context system_u:system_r:smbd_t:s0 > >>> Target Context system_u:object_r:samba_share_t:s0 > >>> Target Objects None [ filesystem ] > >>> Source smbd > >>> Source Path /usr/sbin/smbd > >>> Port <Unknown> > >>> Host (removed) > >>> Source RPM Packages samba-3.5.5-68.fc13 > >>> Target RPM Packages > >>> Policy RPM selinux-policy-3.7.19-57.fc13 > >>> Selinux Enabled True > >>> Policy Type targeted > >>> Enforcing Mode Enforcing > >>> Plugin Name catchall > >>> Host Name (removed) > >>> Platform Linux host.domain.com > >>> 2.6.34.6-54.fc13.i686 #1 SMP > >>> Sun Sep 5 17:52:31 UTC 2010 i686 i686 > >>> Alert Count 224 > >>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT > >>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT > >>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534 > >>> Line Numbers > >>> > >>> Raw Audit Messages > >>> > >>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: > >>> denied { quotaget } for pid=17451 comm="smbd" > >>> scontext=system_u:system_r:smbd_t:s0 > >>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem > >>> > >>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): > >>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 > >>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 > >>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 > tty=(none) > >>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" > >>> subj=system_u:system_r:smbd_t:s0 key=(null) > >>> > >>> > >>> -- > >>> selinux mailing list > >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >>> > >>> > >>> -- > >>> selinux mailing list > >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Yes this is samba checking to see if quota is being enforced on the > filesystem, And it should be allowed. > > > Miroslav can you add > > allow smbd_t samba_share_t:filesystem { getattr quotaget }; > > To F13 policy. > > Daniel, for now you can add this rule using audit2allow. > I apologize as I have a very short memory, Details please? Can you give me a link that I can bookmark so that I can refer to the instructions instead of asking you for instructions every time? ;) Thanks! Dan -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
