On 10/01/2010 08:46 AM, Daniel J Walsh wrote: > On 10/01/2010 11:41 AM, Daniel B. Thurman wrote: > > On 10/01/2010 08:38 AM, Daniel J Walsh wrote: > >> On 10/01/2010 11:32 AM, Daniel B. Thurman wrote: > >>> On 10/01/2010 08:07 AM, Dominick Grift wrote: > >>>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote: > >>>>> Below happened 224 times. > >>>>> > >>>>> How can I fix this? > >>>> I do not think samba_share_t is a type usable for filesystems. What > >> are you trying to do and did that type end up on a filesystem object? > >>>> > >>> I think this problem might be related to mount & /etc/fstab: > >> > >>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g > >>> context=system_u:object_r:samba_share_t:s0,defaults 0 0 > >> > >>> As before I was able to do: > >>> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g > >>> context=system_u:object_r:samba_share_t:s0 0 0 > >> > >>> Some recent release changed in the mount/fstab command/file > >>> such that it would not allow context only definition in the mount > >>> options argument in fstab and resulted preventing ntfs filesystems > >>> to be mounted at boot time, spewing out "argument required" errors > >>> for each ntfs mount attempted from the /etc/fstab file. Adding > >>> ',defaults' to the option along with the context argument worked, > >>> except that having the 'defaults' argument also means SELinux > >>> will attempt to verify/enforce SELinux context information within > >>> the NTFS filesystems (which makes no sense), causing AVC denials, > >>> or so I think. > >> > >>> This is probably a bug, IMO. > >> > >>> I would like to know if anyone has already reported this issue > >>> to bugzilla, so that I can remove the ',defaults' entry from > >>> fstab for NTFS mounted filesystems. > >> > >>>>> > >> > =========================================================================== > >>>>> Summary: > >>>>> > >>>>> SELinux is preventing /usr/sbin/smbd "quotaget" access . > >>>>> > >>>>> Detailed Description: > >>>>> > >>>>> SELinux denied access requested by smbd. It is not expected that > this > >>>>> access is > >>>>> required by smbd and this access may signal an intrusion attempt. > >> It is also > >>>>> possible that the specific version or configuration of the > >> application is > >>>>> causing it to require additional access. > >>>>> > >>>>> Allowing Access: > >>>>> > >>>>> You can generate a local policy module to allow this access - > see FAQ > >>>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please > >> file a bug > >>>>> report. > >>>>> > >>>>> Additional Information: > >>>>> > >>>>> Source Context system_u:system_r:smbd_t:s0 > >>>>> Target Context system_u:object_r:samba_share_t:s0 > >>>>> Target Objects None [ filesystem ] > >>>>> Source smbd > >>>>> Source Path /usr/sbin/smbd > >>>>> Port <Unknown> > >>>>> Host (removed) > >>>>> Source RPM Packages samba-3.5.5-68.fc13 > >>>>> Target RPM Packages > >>>>> Policy RPM selinux-policy-3.7.19-57.fc13 > >>>>> Selinux Enabled True > >>>>> Policy Type targeted > >>>>> Enforcing Mode Enforcing > >>>>> Plugin Name catchall > >>>>> Host Name (removed) > >>>>> Platform Linux host.domain.com > >>>>> 2.6.34.6-54.fc13.i686 #1 SMP > >>>>> Sun Sep 5 17:52:31 UTC 2010 i686 i686 > >>>>> Alert Count 224 > >>>>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT > >>>>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT > >>>>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534 > >>>>> Line Numbers > >>>>> > >>>>> Raw Audit Messages > >>>>> > >>>>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: > >>>>> denied { quotaget } for pid=17451 comm="smbd" > >>>>> scontext=system_u:system_r:smbd_t:s0 > >>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem > >>>>> > >>>>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): > >>>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 > >>>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 > >>>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 > >> tty=(none) > >>>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" > >>>>> subj=system_u:system_r:smbd_t:s0 key=(null) > >>>>> > >>>>> > >>>>> -- > >>>>> selinux mailing list > >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >>>>> > >>>>> > >>>>> -- > >>>>> selinux mailing list > >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >> > >> > >> > >> > >>> -- > >>> selinux mailing list > >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >> > >> Yes this is samba checking to see if quota is being enforced on the > >> filesystem, And it should be allowed. > >> > >> > >> Miroslav can you add > >> > >> allow smbd_t samba_share_t:filesystem { getattr quotaget }; > >> > >> To F13 policy. > >> > >> Daniel, for now you can add this rule using audit2allow. > >> > > I apologize as I have a very short memory, Details please? > > > Can you give me a link that I can bookmark so that I can > > refer to the instructions instead of asking you for instructions > > every time? ;) > > > Thanks! > > Dan > > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > I am working on a new version of setroubleshoot which will print a > message like. > > sealert -a /tmp/t > 100% donefound 1 alerts in /tmp/t > - > -------------------------------------------------------------------------------- > > SELinux is preventing smbd from quotaget access on the filesystem port > None. > > Plugin catchall (100% confidence) suggests: > > If you want to allow smbd to have quotaget access on the port None > filesystem by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep smbd /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > Additional Information: > Source Context system_u:system_r:smbd_t:s0 > Target Context system_u:object_r:samba_share_t:s0 > Target Objects port None [ filesystem ] > Source smbd > Source Path smbd > Port <Unknown> > Host <Unknown> > Source RPM Packages > Target RPM Packages > Policy RPM selinux-policy-3.9.5-7.fc15 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name localhost.localdomain > Platform Linux localhost.localdomain > 2.6.36-0.28.rc6.git0.fc15.x86_64 #1 SMP > Wed Sep 29 > 01:47:32 UTC 2010 x86_64 x86_64 > Alert Count 1 > First Seen Fri Oct 1 00:18:41 2010 > Last Seen Fri Oct 1 00:18:41 2010 > Local ID e823b86e-f5a3-4b4f-b8fd-021400546def > > Raw Audit Messages > type=AVC msg=audit(1285906721.444:102672): avc: denied { quotaget } > for pid=17451 comm="smbd" scontext=system_u:system_r:smbd_t:s0 > tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem > node=host.domain.com > > smbd,smbd_t,samba_share_t,filesystem,quotaget > > #============= smbd_t ============== > allow smbd_t samba_share_t:filesystem quotaget; > > Needs some work, but you get the idea. Whoa! I discovered that I can now remove the ',defaults' entry from the NTFS mount filesystems in /etc/fstab! Seems this has been fixed somewhere in the recent updates! I have tested this out and it works, so no more option 'Argument required' error reports at boot time, and it does not seem to need a ',defaults' entry in the options line and it works using /bin/mount command! But I tested this AFTER I did the smbd policy steps as given above, so I hope this change is not related and is independent. Well, whatever, it works, so I am happy. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
