-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/2010 11:41 AM, Daniel B. Thurman wrote: > On 10/01/2010 08:38 AM, Daniel J Walsh wrote: >> On 10/01/2010 11:32 AM, Daniel B. Thurman wrote: >>> On 10/01/2010 08:07 AM, Dominick Grift wrote: >>>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote: >>>>> Below happened 224 times. >>>>> >>>>> How can I fix this? >>>> I do not think samba_share_t is a type usable for filesystems. What >> are you trying to do and did that type end up on a filesystem object? >>>> >>> I think this problem might be related to mount & /etc/fstab: >> >>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g >>> context=system_u:object_r:samba_share_t:s0,defaults 0 0 >> >>> As before I was able to do: >>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g >>> context=system_u:object_r:samba_share_t:s0 0 0 >> >>> Some recent release changed in the mount/fstab command/file >>> such that it would not allow context only definition in the mount >>> options argument in fstab and resulted preventing ntfs filesystems >>> to be mounted at boot time, spewing out "argument required" errors >>> for each ntfs mount attempted from the /etc/fstab file. Adding >>> ',defaults' to the option along with the context argument worked, >>> except that having the 'defaults' argument also means SELinux >>> will attempt to verify/enforce SELinux context information within >>> the NTFS filesystems (which makes no sense), causing AVC denials, >>> or so I think. >> >>> This is probably a bug, IMO. >> >>> I would like to know if anyone has already reported this issue >>> to bugzilla, so that I can remove the ',defaults' entry from >>> fstab for NTFS mounted filesystems. >> >>>>> >> =========================================================================== >>>>> Summary: >>>>> >>>>> SELinux is preventing /usr/sbin/smbd "quotaget" access . >>>>> >>>>> Detailed Description: >>>>> >>>>> SELinux denied access requested by smbd. It is not expected that this >>>>> access is >>>>> required by smbd and this access may signal an intrusion attempt. >> It is also >>>>> possible that the specific version or configuration of the >> application is >>>>> causing it to require additional access. >>>>> >>>>> Allowing Access: >>>>> >>>>> You can generate a local policy module to allow this access - see FAQ >>>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please >> file a bug >>>>> report. >>>>> >>>>> Additional Information: >>>>> >>>>> Source Context system_u:system_r:smbd_t:s0 >>>>> Target Context system_u:object_r:samba_share_t:s0 >>>>> Target Objects None [ filesystem ] >>>>> Source smbd >>>>> Source Path /usr/sbin/smbd >>>>> Port <Unknown> >>>>> Host (removed) >>>>> Source RPM Packages samba-3.5.5-68.fc13 >>>>> Target RPM Packages >>>>> Policy RPM selinux-policy-3.7.19-57.fc13 >>>>> Selinux Enabled True >>>>> Policy Type targeted >>>>> Enforcing Mode Enforcing >>>>> Plugin Name catchall >>>>> Host Name (removed) >>>>> Platform Linux host.domain.com >>>>> 2.6.34.6-54.fc13.i686 #1 SMP >>>>> Sun Sep 5 17:52:31 UTC 2010 i686 i686 >>>>> Alert Count 224 >>>>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT >>>>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT >>>>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534 >>>>> Line Numbers >>>>> >>>>> Raw Audit Messages >>>>> >>>>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: >>>>> denied { quotaget } for pid=17451 comm="smbd" >>>>> scontext=system_u:system_r:smbd_t:s0 >>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem >>>>> >>>>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): >>>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 >>>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 >>>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 >> tty=(none) >>>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" >>>>> subj=system_u:system_r:smbd_t:s0 key=(null) >>>>> >>>>> >>>>> -- >>>>> selinux mailing list >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >>>>> >>>>> -- >>>>> selinux mailing list >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> >> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> Yes this is samba checking to see if quota is being enforced on the >> filesystem, And it should be allowed. >> >> >> Miroslav can you add >> >> allow smbd_t samba_share_t:filesystem { getattr quotaget }; >> >> To F13 policy. >> >> Daniel, for now you can add this rule using audit2allow. >> > I apologize as I have a very short memory, Details please? > > Can you give me a link that I can bookmark so that I can > refer to the instructions instead of asking you for instructions > every time? ;) > > Thanks! > Dan > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > I am working on a new version of setroubleshoot which will print a message like. sealert -a /tmp/t 100% donefound 1 alerts in /tmp/t - -------------------------------------------------------------------------------- SELinux is preventing smbd from quotaget access on the filesystem port None. Plugin catchall (100% confidence) suggests: If you want to allow smbd to have quotaget access on the port None filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smbd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:smbd_t:s0 Target Context system_u:object_r:samba_share_t:s0 Target Objects port None [ filesystem ] Source smbd Source Path smbd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.36-0.28.rc6.git0.fc15.x86_64 #1 SMP Wed Sep 29 01:47:32 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri Oct 1 00:18:41 2010 Last Seen Fri Oct 1 00:18:41 2010 Local ID e823b86e-f5a3-4b4f-b8fd-021400546def Raw Audit Messages type=AVC msg=audit(1285906721.444:102672): avc: denied { quotaget } for pid=17451 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem node=host.domain.com smbd,smbd_t,samba_share_t,filesystem,quotaget #============= smbd_t ============== allow smbd_t samba_share_t:filesystem quotaget; Needs some work, but you get the idea. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkymAlgACgkQrlYvE4MpobMl9wCg0b4ZAZ75rJEd1DHHnrqIKyHU uvoAnAoq1rFcwjHmZaZRrcxNOqMjpNon =JLvZ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
