On 10/01/2010 05:38 PM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/01/2010 11:32 AM, Daniel B. Thurman wrote: >> On 10/01/2010 08:07 AM, Dominick Grift wrote: >>> On Fri, Oct 01, 2010 at 07:30:38AM -0700, Dan Thurman wrote: >>>> Below happened 224 times. >>>> >>>> How can I fix this? >>> I do not think samba_share_t is a type usable for filesystems. What are you trying to do and did that type end up on a filesystem object? >>> >> I think this problem might be related to mount& /etc/fstab: >> >> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g >> context=system_u:object_r:samba_share_t:s0,defaults 0 0 >> >> As before I was able to do: >> LABEL=Ap1WD1 /md/Ap1WD1 ntfs-3g >> context=system_u:object_r:samba_share_t:s0 0 0 >> >> Some recent release changed in the mount/fstab command/file >> such that it would not allow context only definition in the mount >> options argument in fstab and resulted preventing ntfs filesystems >> to be mounted at boot time, spewing out "argument required" errors >> for each ntfs mount attempted from the /etc/fstab file. Adding >> ',defaults' to the option along with the context argument worked, >> except that having the 'defaults' argument also means SELinux >> will attempt to verify/enforce SELinux context information within >> the NTFS filesystems (which makes no sense), causing AVC denials, >> or so I think. >> >> This is probably a bug, IMO. >> >> I would like to know if anyone has already reported this issue >> to bugzilla, so that I can remove the ',defaults' entry from >> fstab for NTFS mounted filesystems. >> >>>> =========================================================================== >>>> Summary: >>>> >>>> SELinux is preventing /usr/sbin/smbd "quotaget" access . >>>> >>>> Detailed Description: >>>> >>>> SELinux denied access requested by smbd. It is not expected that this >>>> access is >>>> required by smbd and this access may signal an intrusion attempt. It is also >>>> possible that the specific version or configuration of the application is >>>> causing it to require additional access. >>>> >>>> Allowing Access: >>>> >>>> You can generate a local policy module to allow this access - see FAQ >>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug >>>> report. >>>> >>>> Additional Information: >>>> >>>> Source Context system_u:system_r:smbd_t:s0 >>>> Target Context system_u:object_r:samba_share_t:s0 >>>> Target Objects None [ filesystem ] >>>> Source smbd >>>> Source Path /usr/sbin/smbd >>>> Port<Unknown> >>>> Host (removed) >>>> Source RPM Packages samba-3.5.5-68.fc13 >>>> Target RPM Packages >>>> Policy RPM selinux-policy-3.7.19-57.fc13 >>>> Selinux Enabled True >>>> Policy Type targeted >>>> Enforcing Mode Enforcing >>>> Plugin Name catchall >>>> Host Name (removed) >>>> Platform Linux host.domain.com >>>> 2.6.34.6-54.fc13.i686 #1 SMP >>>> Sun Sep 5 17:52:31 UTC 2010 i686 i686 >>>> Alert Count 224 >>>> First Seen Thu 30 Sep 2010 11:32:04 AM PDT >>>> Last Seen Thu 30 Sep 2010 09:18:41 PM PDT >>>> Local ID 01035ab1-2396-4e92-9b1e-09645d976534 >>>> Line Numbers >>>> >>>> Raw Audit Messages >>>> >>>> node=host.domain.com type=AVC msg=audit(1285906721.444:102672): avc: >>>> denied { quotaget } for pid=17451 comm="smbd" >>>> scontext=system_u:system_r:smbd_t:s0 >>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=filesystem >>>> >>>> node=host.domain.com type=SYSCALL msg=audit(1285906721.444:102672): >>>> arch=40000003 syscall=131 success=no exit=-13 a0=80000701 a1=1282200 >>>> a2=1f5 a3=bfdb5d7c items=0 ppid=2144 pid=17451 auid=4294967295 uid=0 >>>> gid=0 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) >>>> ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" >>>> subj=system_u:system_r:smbd_t:s0 key=(null) >>>> >>>> >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>>> >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > Yes this is samba checking to see if quota is being enforced on the > filesystem, And it should be allowed. > > > Miroslav can you add > > allow smbd_t samba_share_t:filesystem { getattr quotaget }; > > To F13 policy. Added to selinux-policy-3.7.19-64.fc13.noarch. > Daniel, for now you can add this rule using audit2allow. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkymAF4ACgkQrlYvE4MpobMH5wCglLYNEZSEVXfm1Bl+f6lAfQIi > zk4AnRgIsIWBcs96R/ELqyTFwUcfUYVt > =E2no > -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
