Samba AVC

> On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
> > Hi,
> >
> > This is Centos 5.3 fully updated.
> >
> > Im getting the following error from setroubleshoot
> >
> >     SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
> >     (samba_log_t).
> >
> > when samba tries to rotate the log files.
> >
> > Running sealert I get the following ( edited )
> >
> > Summary:
> >
> > SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
> > (samba_log_t).
> >
> > Detailed Description:
> >
> > SELinux denied samba access to ./log.cs244-24.old. If you want to share
> > this directory with samba it has to have a file context label of
> > samba_share_t. If ^^^^^^^^^^^^^
> > you did not intend to use ./log.cs244-24.old as a samba repository it
> > could indicate either a bug or it could signal a intrusion attempt.
> >
> > Allowing Access:
> >
> > You can alter the file context by executing chcon -R -t samba_share_t
> > './log.cs244-24.old' You must also change the default file context files
> > on the
> > system in order to preserve them even on a full relabel. "semanage
> > fcontext -a -t samba_share_t './log.cs244-24.old'"
> >
> > The following command will allow this access:
> >
> > chcon -R -t samba_share_t './log.cs244-24.old'
> >
> > Additional Information:
> >
> > Source Context                root:system_r:smbd_t
> > Target Context                root:object_r:samba_log_t
> > Target Objects                ./log.cs244-24.old [ file ]
> > Source                        smbd
> > Source Path                   /usr/sbin/smbd
> > Port                          <Unknown>
> > Host                          janus.x.y.z
> > Source RPM Packages           samba-3.0.33-3.7.el5_3.1
> > Target RPM Packages
> > Policy RPM                    selinux-policy-2.4.6-203.el5
> > Selinux Enabled               True
> > Policy Type                   targeted
> > MLS Enabled                   True
> > Enforcing Mode                Enforcing
> > Plugin Name                   samba_share
> > Host Name                     janus.x.y.z
> > Platform                      Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP
> >                               Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64
> > Alert Count                   53
> > First Seen                    Fri Sep 25 15:54:24 2009
> > Last Seen                     Tue Sep 29 15:55:25 2009
> > Local ID                      e4426abc-3b0b-4df2-a380-3f0fba344c63
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc:  denied
> > { unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
> > ino=164076 scontext=root:system_r:smbd_t:s0
> > tcontext=root:object_r:samba_log_t:s0 tclass=file
> >
> > host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641):
> > arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220
> > a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0
> > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675
> > comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
> >
> >
> > log.cs244-24.old is a file not a directory and it's located in
> > the /var/log/samba directory with permissions
> >        system_u:object_r:samba_log_t    samba
> >
> > Any ideas,
>
> Looks like a valid bug in selinux-policy to me:
>
> echo "avc:  denied  {
> unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
> ino=164076 scontext=root:system_r:smbd_t:s0
> tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M mysmbd;
> /usr/sbin/semodule -i mysmbd.pp
>
> Should grant this particular access vector.
>

> > Tony
> >
> > --
> >
> > Dept. of Comp. Sci.
> > University of Limerick.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@...
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list

> On Wed, Sep 30, 2009 at 2:17 PM, Tony Molloy <tony.molloy@...> wrote:
>
>> On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:
>>> On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
>>>> Hi,
>>>>
>>>> This is Centos 5.3 fully updated.
>>>>
>>>> Im getting the following error from setroubleshoot
>>>>
>>>>     SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
>>>>     (samba_log_t).
>>>>
>>>> when samba tries to rotate the log files.
>>>>
>>>> Running sealert I get the following ( edited )
>>>>
>>>> Summary:
>>>>
>>>> SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
>>>> (samba_log_t).
>>>>
>>>> Detailed Description:
>>>>
>>>> SELinux denied samba access to ./log.cs244-24.old. If you want to share
>>>> this directory with samba it has to have a file context label of
>>>> samba_share_t. If ^^^^^^^^^^^^^
>>>> you did not intend to use ./log.cs244-24.old as a samba repository it
>>>> could indicate either a bug or it could signal a intrusion attempt.
>>>>
>>>> Allowing Access:
>>>>
>>>> You can alter the file context by executing chcon -R -t samba_share_t
>>>> './log.cs244-24.old' You must also change the default file context
>> files
>>>> on the
>>>> system in order to preserve them even on a full relabel. "semanage
>>>> fcontext -a -t samba_share_t './log.cs244-24.old'"
>>>>
>>>> The following command will allow this access:
>>>>
>>>> chcon -R -t samba_share_t './log.cs244-24.old'
>>>>
>>>> Additional Information:
>>>>
>>>> Source Context                root:system_r:smbd_t
>>>> Target Context                root:object_r:samba_log_t
>>>> Target Objects                ./log.cs244-24.old [ file ]
>>>> Source                        smbd
>>>> Source Path                   /usr/sbin/smbd
>>>> Port                          <Unknown>
>>>> Host                          janus.x.y.z
>>>> Source RPM Packages           samba-3.0.33-3.7.el5_3.1
>>>> Target RPM Packages
>>>> Policy RPM                    selinux-policy-2.4.6-203.el5
>>>> Selinux Enabled               True
>>>> Policy Type                   targeted
>>>> MLS Enabled                   True
>>>> Enforcing Mode                Enforcing
>>>> Plugin Name                   samba_share
>>>> Host Name                     janus.x.y.z
>>>> Platform                      Linux janus.x.y.z 2.6.18-128.7.1.el5 #1
>> SMP
>>>>                               Mon Aug 24 08:21:56 EDT 2009 x86_64
>> x86_64
>>>> Alert Count                   53
>>>> First Seen                    Fri Sep 25 15:54:24 2009
>>>> Last Seen                     Tue Sep 29 15:55:25 2009
>>>> Local ID                      e4426abc-3b0b-4df2-a380-3f0fba344c63
>>>> Line Numbers
>>>>
>>>> Raw Audit Messages
>>>>
>>>> host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc:  denied
>>>> { unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
>>>> ino=164076 scontext=root:system_r:smbd_t:s0
>>>> tcontext=root:object_r:samba_log_t:s0 tclass=file
>>>>
>>>> host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641):
>>>> arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220
>>>> a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0
>> gid=0
>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675
>>>> comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
>> key=(null)
>>>>
>>>>
>>>> log.cs244-24.old is a file not a directory and it's located in
>>>> the /var/log/samba directory with permissions
>>>>        system_u:object_r:samba_log_t    samba
>>>>
>>>> Any ideas,
>>>
>>> Looks like a valid bug in selinux-policy to me:
>>>
>>> echo "avc:  denied  {
>>> unlink } for  pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
>>> ino=164076 scontext=root:system_r:smbd_t:s0
>>> tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M
>> mysmbd;
>>> /usr/sbin/semodule -i mysmbd.pp
>>>
>>> Should grant this particular access vector.
>>>
>>
>> Thanks I generated local policy to allow it.
>>
>> In origin what is the result of this. In my system
>
> sesearch -s smbd_t -c file --allow | grep samba_log_t
>    allow smbd_t samba_log_t : file { ioctl read write create getattr setattr
> lock append unlink link rename };
>    allow smbd_t samba_log_t : file { ioctl read getattr lock };
>    allow smbd_t samba_log_t : file { ioctl read write create getattr setattr
> lock append unlink link rename };
>
> Because i have no problem and in fact unlink is allowed.
>
> Are you sure to have selinux-policy-targeted installed ?
>
> Regards
>
>
>> Regards,
>>
>> Tony
>>>> Tony
>>>>
>>>> --
>>>>
>>>> Dept. of Comp. Sci.
>>>> University of Limerick.
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@...
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>> --
>>
>> Dept. of Comp. Sci.
>> University of Limerick.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@...
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

>
> This is definitely fixed in 5.4 policy.
>
> 5.5 policy is now previewing at
> http://people.redhat.com/dwalsh/SELinux/RHEL5
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list