FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-12-2009, 08:41 PM
Steven Stromer
 
Default SELinux blocking Samba share mounting?

To add to my last post...

Just learned that AVC denials will be sent to /var/log/audit/audit.log rather than /var/log/messages. Here's what I'm getting:

type=AVC msg=audit(1234474415.612:15330): avc: denied { search } for pid=14702 comm="smbd" name="/" dev=dm-2 ino=2 scontext=root:system_r:smbd_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1234474415.612:15330): arch=c000003e syscall=4 success=no exit=-13 a0=2b9f623cbeb0 a1=7fff581e3850 a2=7fff581e3850 a3=3 items=0 ppid=11661 pid=14702 auid=0 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=105 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1234474415.621:15331): avc: denied { search } for pid=14704 comm="smbd" name="/" dev=dm-2 ino=2 scontext=root:system_r:smbd_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1234474415.621:15331): arch=c000003e syscall=4 success=no exit=-13 a0=2b9f623cbeb0 a1=7fff581e3850 a2=7fff581e3850 a3=3 items=0 ppid=11661 pid=14704 auid=0 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=105 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-12-2009, 09:06 PM
Steven Stromer
 
Default SELinux blocking Samba share mounting?

On Feb 12, 2009, at 4:43 PM, Daniel J Walsh wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:

On Thu, 12 Feb 2009 14:20:34 -0500
Steven Stromer <filter@stevenstromer.com> wrote:


Hopefully posting to the right list!

I'm starting to migrate a few Fedora boxes over to the latest
version

of CentOS 5 running the latest version of samba:

[~]# smbstatus
Samba version 3.0.28-1.el5_2.1


However, I am having a hard time getting SELinux to permit the
mounting of shares on the first CentOS box. Disabling SELinux
permits

the shares to mount without problem:

[~]# setenforce 1
[~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
username=****,password=****,rw retrying with upper case share name
mount error 6 = No such device or address
[~]# setenforce 0
[~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
username=****,password=****,rw [~]# ls -la /mnt/samba/
total 8
d---rws---+ 6 samba samba 0 Feb 10 11:17 .
drwxr-xr-x 3 root root 4096 Feb 12 11:13 ..
d---rws---+ 2 technology technology 0 Feb 10 11:14 Computing
d---rws---+ 2 development development 0 Feb 10 11:17 Development
d---rws---+ 2 root public 0 Feb 10 11:16 Marketing &
Design d---rws---+ 2 root public 0 Feb 10 11:14
Public

Computing [~]# umount /mnt/samba/
[~]# setenforce 1


Installed policy version is:
selinux-policy.noarch 2.4.6-137.1.el5
selinux-policy-targeted.noarch 2.4.6-137.1.el5


The two shared directories are:

[~]# ls -laZ /home/server1/PHFiles/
d---rws---+ samba samba
system_ubject_r:samba_share_t .

drwxr-xr-x root root rootbject_r:user_home_dir_t
.. d---rws---+ technology technology rootbject_r:samba_share_t
Computing d---rws---+ development development
rootbject_r:samba_share_t Development d---rws---+ root
public rootbject_r:samba_share_t Marketing &
Design d---rws---+ root public
rootbject_r:samba_share_t Public Computing

and

[~]# ls -laZ /var/www/html
d---rwsr-x+ development development
system_ubject_rublic_content_rw_t . drwxr-xr-x root root
system_ubject_r:httpd_sys_content_t .. ----rwxr-x+
development development rootbject_rublic_content_rw_t .DS_Store
d---rwsr-x+ development development
rootbject_rublic_content_rw_t

private d---rwsr-x+ development development
rootbject_rublic_content_rw_t public

(I am aware that my permissions seem a bit untraditional. I am
running an experiment with extended ACL configuration on samba
shares. However, I do not believe this to have any bearing on my
present problems, as I have numerous other production servers
running
with these permissions under SELinux, and, again, turning SELinux
off

resolves my problems instantly.)


The following has been executed with no apparent effect:
setsebool -P allow_smbd_anon_write=1


The following have been executed with no apparent effect (so these
have been turned back off): setsebool -P smbd_disable_trans=1
setsebool -P nmbd_disable_trans=1


I've added the new contexts to file_contexts, and executed
'restorecon -R' to the two shared
directories: /home/server1/PHFiles(/.*)? --
system_ubject_r:samba_share_t /var/www/html(/.*)? --
system_ubject_rublic_content_rw_t


setroubleshoot-server is installed, but no AVC denials are reported
to /var/log/messages. Instead, when SELinux is enforcing, I get the
error: smbd[11852]: '/home/server1/PHFiles' does not exist or
permission denied when connecting to [PHFiles] Error was Permission
denied


And, finally, I've rebooted. All to no avail. Any assistance would
be

much appreciated!


If the audit daemon is running, the AVC denials will be
in /var/log/audit/audit.log rather than /var/log/messages.

fedora-selinux-list would probably be more appropriate for this by
the

way.

Paul.


--
This message was distributed to subscribers of the selinux mailing
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with

the words "unsubscribe selinux" without quotes as the message.


setsebool -P use_samba_home_dirs 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmUl/YACgkQrlYvE4MpobMOOgCeMPI1VZu86N93qfBY5bxfhk71
o/4AnjypHIr5wCY3L6S6INi/w8LHSXuK
=PIJ/
-----END PGP SIGNATURE-----



Daniel, thanks for the reply. No success. I omitted mentioning that I
had tried this, as well. However, I just confirmed again that this is
not the fix. I'm not even sure why home directories would need to be
permitted, as I am not using them. I even have [homes] commented out
in smb.conf, which I'll include for reference:



# Samba config file
[global]
# WINS
wins support = yes
local master = yes
os level = 99
domain master = yes
preferred master = yes
workgroup = 478FIRST
# NETBIOS/DNS
netbios name = server1
name resolve order = wins lmhosts hosts bcast
dns proxy = yes
# SMB/CIFS
smb ports = 139
server string = server1
# AUTHENTICATION
interfaces = eth0
security = user
passdb backend = tdbsam
encrypt passwords = yes
# LOGGING
log file = /var/log/samba/%m.log
max log size = 50
# CUPS
load printers = yes
cups options = raw

#[homes]
# comment = Home Directories
# read only = No
# browseable = No

# [printers]
# comment = All Printers
# path = /usr/spool/samba
# printable = Yes
# browseable = No

[PHFiles]
path = /home/server1/PHFiles
writable = yes
browseable = yes
available = yes
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
inherit acls = yes
inherit owner = yes
hosts allow = 127. 192.168.5.
map archive = no
map readonly = no
map acl inherit = yes

[html]
path = /var/www/html
writable = yes
browseable = yes
available = yes
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
inherit acls = yes
inherit owner = yes
hosts allow = 127. 192.168.5.
map archive = no
map readonly = no
map acl inherit = yes

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-13-2009, 08:19 AM
Paul Howarth
 
Default SELinux blocking Samba share mounting?

Steven Stromer wrote:


On Feb 12, 2009, at 4:43 PM, Daniel J Walsh wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:

On Thu, 12 Feb 2009 14:20:34 -0500
Steven Stromer <filter@stevenstromer.com> wrote:


Hopefully posting to the right list!

I'm starting to migrate a few Fedora boxes over to the latest version
of CentOS 5 running the latest version of samba:

[~]# smbstatus
Samba version 3.0.28-1.el5_2.1


However, I am having a hard time getting SELinux to permit the
mounting of shares on the first CentOS box. Disabling SELinux permits
the shares to mount without problem:

[~]# setenforce 1
[~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
username=****,password=****,rw retrying with upper case share name
mount error 6 = No such device or address
[~]# setenforce 0
[~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
username=****,password=****,rw [~]# ls -la /mnt/samba/
total 8
d---rws---+ 6 samba samba 0 Feb 10 11:17 .
drwxr-xr-x 3 root root 4096 Feb 12 11:13 ..
d---rws---+ 2 technology technology 0 Feb 10 11:14 Computing
d---rws---+ 2 development development 0 Feb 10 11:17 Development
d---rws---+ 2 root public 0 Feb 10 11:16 Marketing &
Design d---rws---+ 2 root public 0 Feb 10 11:14 Public
Computing [~]# umount /mnt/samba/
[~]# setenforce 1


Installed policy version is:
selinux-policy.noarch 2.4.6-137.1.el5
selinux-policy-targeted.noarch 2.4.6-137.1.el5


The two shared directories are:

[~]# ls -laZ /home/server1/PHFiles/
d---rws---+ samba samba system_ubject_r:samba_share_t .
drwxr-xr-x root root rootbject_r:user_home_dir_t
.. d---rws---+ technology technology rootbject_r:samba_share_t
Computing d---rws---+ development development
rootbject_r:samba_share_t Development d---rws---+ root
public rootbject_r:samba_share_t Marketing &
Design d---rws---+ root public
rootbject_r:samba_share_t Public Computing

and

[~]# ls -laZ /var/www/html
d---rwsr-x+ development development
system_ubject_rublic_content_rw_t . drwxr-xr-x root root
system_ubject_r:httpd_sys_content_t .. ----rwxr-x+
development development rootbject_rublic_content_rw_t .DS_Store
d---rwsr-x+ development development rootbject_rublic_content_rw_t
private d---rwsr-x+ development development
rootbject_rublic_content_rw_t public

(I am aware that my permissions seem a bit untraditional. I am
running an experiment with extended ACL configuration on samba
shares. However, I do not believe this to have any bearing on my
present problems, as I have numerous other production servers running
with these permissions under SELinux, and, again, turning SELinux off
resolves my problems instantly.)


The following has been executed with no apparent effect:
setsebool -P allow_smbd_anon_write=1


The following have been executed with no apparent effect (so these
have been turned back off): setsebool -P smbd_disable_trans=1
setsebool -P nmbd_disable_trans=1


I've added the new contexts to file_contexts, and executed
'restorecon -R' to the two shared
directories: /home/server1/PHFiles(/.*)? --
system_ubject_r:samba_share_t /var/www/html(/.*)? --
system_ubject_rublic_content_rw_t


setroubleshoot-server is installed, but no AVC denials are reported
to /var/log/messages. Instead, when SELinux is enforcing, I get the
error: smbd[11852]: '/home/server1/PHFiles' does not exist or
permission denied when connecting to [PHFiles] Error was Permission
denied


And, finally, I've rebooted. All to no avail. Any assistance would be
much appreciated!


If the audit daemon is running, the AVC denials will be
in /var/log/audit/audit.log rather than /var/log/messages.

fedora-selinux-list would probably be more appropriate for this by the
way.

Paul.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to
majordomo@tycho.nsa.gov with

the words "unsubscribe selinux" without quotes as the message.


setsebool -P use_samba_home_dirs 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmUl/YACgkQrlYvE4MpobMOOgCeMPI1VZu86N93qfBY5bxfhk71
o/4AnjypHIr5wCY3L6S6INi/w8LHSXuK
=PIJ/
-----END PGP SIGNATURE-----



Daniel, thanks for the reply. No success. I omitted mentioning that I
had tried this, as well. However, I just confirmed again that this is
not the fix. I'm not even sure why home directories would need to be
permitted, as I am not using them.


You have files under /home which is home_root_t, which is why you need
use_samba_home_dirs to be set - the denials you are getting are for
searching /home.


Are those the only denials you're getting, or are there others?

What's the output of:

# audit2allow < /var/log/audit/audit.log

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-13-2009, 12:11 PM
Daniel J Walsh
 
Default SELinux blocking Samba share mounting?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Stromer wrote:
>
> On Feb 12, 2009, at 4:43 PM, Daniel J Walsh wrote:
>
> Paul Howarth wrote:
>>>> On Thu, 12 Feb 2009 14:20:34 -0500
>>>> Steven Stromer <filter@stevenstromer.com> wrote:
>>>>
>>>>> Hopefully posting to the right list!
>>>>>
>>>>> I'm starting to migrate a few Fedora boxes over to the latest version
>>>>> of CentOS 5 running the latest version of samba:
>>>>>
>>>>> [~]# smbstatus
>>>>> Samba version 3.0.28-1.el5_2.1
>>>>>
>>>>>
>>>>> However, I am having a hard time getting SELinux to permit the
>>>>> mounting of shares on the first CentOS box. Disabling SELinux permits
>>>>> the shares to mount without problem:
>>>>>
>>>>> [~]# setenforce 1
>>>>> [~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
>>>>> username=****,password=****,rw retrying with upper case share name
>>>>> mount error 6 = No such device or address
>>>>> [~]# setenforce 0
>>>>> [~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
>>>>> username=****,password=****,rw [~]# ls -la /mnt/samba/
>>>>> total 8
>>>>> d---rws---+ 6 samba samba 0 Feb 10 11:17 .
>>>>> drwxr-xr-x 3 root root 4096 Feb 12 11:13 ..
>>>>> d---rws---+ 2 technology technology 0 Feb 10 11:14 Computing
>>>>> d---rws---+ 2 development development 0 Feb 10 11:17 Development
>>>>> d---rws---+ 2 root public 0 Feb 10 11:16 Marketing &
>>>>> Design d---rws---+ 2 root public 0 Feb 10 11:14 Public
>>>>> Computing [~]# umount /mnt/samba/
>>>>> [~]# setenforce 1
>>>>>
>>>>>
>>>>> Installed policy version is:
>>>>> selinux-policy.noarch 2.4.6-137.1.el5
>>>>> selinux-policy-targeted.noarch 2.4.6-137.1.el5
>>>>>
>>>>>
>>>>> The two shared directories are:
>>>>>
>>>>> [~]# ls -laZ /home/server1/PHFiles/
>>>>> d---rws---+ samba samba system_ubject_r:samba_share_t .
>>>>> drwxr-xr-x root root rootbject_r:user_home_dir_t
>>>>> .. d---rws---+ technology technology rootbject_r:samba_share_t
>>>>> Computing d---rws---+ development development
>>>>> rootbject_r:samba_share_t Development d---rws---+ root
>>>>> public rootbject_r:samba_share_t Marketing &
>>>>> Design d---rws---+ root public
>>>>> rootbject_r:samba_share_t Public Computing
>>>>>
>>>>> and
>>>>>
>>>>> [~]# ls -laZ /var/www/html
>>>>> d---rwsr-x+ development development
>>>>> system_ubject_rublic_content_rw_t . drwxr-xr-x root root
>>>>> system_ubject_r:httpd_sys_content_t .. ----rwxr-x+
>>>>> development development rootbject_rublic_content_rw_t .DS_Store
>>>>> d---rwsr-x+ development development rootbject_rublic_content_rw_t
>>>>> private d---rwsr-x+ development development
>>>>> rootbject_rublic_content_rw_t public
>>>>>
>>>>> (I am aware that my permissions seem a bit untraditional. I am
>>>>> running an experiment with extended ACL configuration on samba
>>>>> shares. However, I do not believe this to have any bearing on my
>>>>> present problems, as I have numerous other production servers running
>>>>> with these permissions under SELinux, and, again, turning SELinux off
>>>>> resolves my problems instantly.)
>>>>>
>>>>>
>>>>> The following has been executed with no apparent effect:
>>>>> setsebool -P allow_smbd_anon_write=1
>>>>>
>>>>>
>>>>> The following have been executed with no apparent effect (so these
>>>>> have been turned back off): setsebool -P smbd_disable_trans=1
>>>>> setsebool -P nmbd_disable_trans=1
>>>>>
>>>>>
>>>>> I've added the new contexts to file_contexts, and executed
>>>>> 'restorecon -R' to the two shared
>>>>> directories: /home/server1/PHFiles(/.*)? --
>>>>> system_ubject_r:samba_share_t /var/www/html(/.*)? --
>>>>> system_ubject_rublic_content_rw_t
>>>>>
>>>>>
>>>>> setroubleshoot-server is installed, but no AVC denials are reported
>>>>> to /var/log/messages. Instead, when SELinux is enforcing, I get the
>>>>> error: smbd[11852]: '/home/server1/PHFiles' does not exist or
>>>>> permission denied when connecting to [PHFiles] Error was Permission
>>>>> denied
>>>>>
>>>>>
>>>>> And, finally, I've rebooted. All to no avail. Any assistance would be
>>>>> much appreciated!
>>>>
>>>> If the audit daemon is running, the AVC denials will be
>>>> in /var/log/audit/audit.log rather than /var/log/messages.
>>>>
>>>> fedora-selinux-list would probably be more appropriate for this by the
>>>> way.
>>>>
>>>> Paul.
>>>>
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>
> setsebool -P use_samba_home_dirs 1
>>

> Daniel, thanks for the reply. No success. I omitted mentioning that I
> had tried this, as well. However, I just confirmed again that this is
> not the fix. I'm not even sure why home directories would need to be
> permitted, as I am not using them. I even have [homes] commented out in
> smb.conf, which I'll include for reference:


> # Samba config file
> [global]
> # WINS
> wins support = yes
> local master = yes
> os level = 99
> domain master = yes
> preferred master = yes
> workgroup = 478FIRST
> # NETBIOS/DNS
> netbios name = server1
> name resolve order = wins lmhosts hosts bcast
> dns proxy = yes
> # SMB/CIFS
> smb ports = 139
> server string = server1
> # AUTHENTICATION
> interfaces = eth0
> security = user
> passdb backend = tdbsam
> encrypt passwords = yes
> # LOGGING
> log file = /var/log/samba/%m.log
> max log size = 50
> # CUPS
> load printers = yes
> cups options = raw

> #[homes]
> # comment = Home Directories
> # read only = No
> # browseable = No

> # [printers]
> # comment = All Printers
> # path = /usr/spool/samba
> # printable = Yes
> # browseable = No

> [PHFiles]
> path = /home/server1/PHFiles
> writable = yes
> browseable = yes
> available = yes
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
> inherit acls = yes
> inherit owner = yes
> hosts allow = 127. 192.168.5.
> map archive = no
> map readonly = no
> map acl inherit = yes

> [html]
> path = /var/www/html
> writable = yes
> browseable = yes
> available = yes
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
> inherit acls = yes
> inherit owner = yes
> hosts allow = 127. 192.168.5.
> map archive = no
> map readonly = no
> map acl inherit = yes

You still have not attached the avc messages from /var/log/audit/audit.log

You have these booleans to allow samba to share any dir read/only or
read/write
samba_export_all_ro --> off
samba_export_all_rw --> off

You also seem to be using public_content_rw_t, so you might want to turn on

allow_smbd_anon_write --> off

Which allows it to write to public_content_rw_t.

You could just add a custom module with
# grep smb /var/log/audit/audit.log | audit2allow -M mysmb
# semodule -i mysmb.pp

Without the audit.log we can not help you.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmVcZUACgkQrlYvE4MpobMShgCfaZ08o5LoZx MUeoN7BkxlcEfI
QPAAoKPWMn5EOcVicEPubt6d95PCKkl5
=/HDJ
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-13-2009, 03:53 PM
Paul Howarth
 
Default SELinux blocking Samba share mounting?

Steven Stromer wrote:

What's the output of:

# audit2allow < /var/log/audit/audit.log

Paul.




Paul,

Thanks for the time! I understand what you are saying. I have set:

chcon -R -h -t home_root_t /home

so that the entire path's heirarchy will be consistent,


No no, this is wrong. home_root_t is for directories that *contain* home
directories, not the home directories and their contents themselves.


I'd do a "restorecon -RF /home" to fix that, then put back the contexts
on your share areas as you wanted them (e.g. samba_share_t or
public_content_rw_t etc.).


Better still, I'd move your shares from under /home to under /srv if
that's a possibility.


> and then:


setsebool -P use_samba_home_dirs 1

Tried connecting, but still unsuccessful, so, output of audit2allow <
/var/log/audit/audit.log is:


#============= smbd_t ==============
allow smbd_t home_root_t:dir { search getattr };
allow smbd_t httpd_sys_content_t:dir search;


Trying to mount /home/server1/PHFiles generates in
/var/log/audit/audit.log:


type=AVC msg=audit(1234540788.851:16207): avc: denied { search } for
pid=26783 comm="smbd" name="/" dev=dm-2 ino=2
scontext=root:system_r:smbd_t:s0
tcontext=system_ubject_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1234540788.851:16207): arch=c000003e syscall=4
success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0 a2=7fff19c3c6a0 a3=3
items=0 ppid=17598 pid=26783 auid=0 uid=500 gid=0 euid=500 suid=0
fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=122 comm="smbd"
exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)


Contexts need repairing before looking at these again.


Trying to mount /var/www/html generates in /var/log/audit/audit.log:

type=AVC msg=audit(1234540890.725:16214): avc: denied { search } for
pid=26785 comm="smbd" name="www" dev=dm-3 ino=6815745
scontext=root:system_r:smbd_t:s0
tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1234540890.725:16214): arch=c000003e syscall=4
success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0 a2=7fff19c3c6a0 a3=3
items=0 ppid=17598 pid=26785 auid=0 uid=500 gid=0 euid=500 suid=0
fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=122 comm="smbd"
exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)


/var/www is supposed to be readable under httpd only, not samba, so it's
normal for these not to work. For both servers to be able to access the
files (and samba to write them), you'll need /var/www and everything
underneath it to be public_content_rw_t and to set the boolean
allow_smbd_anon_write. If you need CGI scripts rather than just static
content and built-in scripting (e.g. PHP) then you'll need a local
policy module to allow samba access using the existing httpd_* types
instead.


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-13-2009, 09:30 PM
Paul Howarth
 
Default SELinux blocking Samba share mounting?

On Fri, 13 Feb 2009 16:45:41 -0500
Steven Stromer <filter@stevenstromer.com> wrote:

>
> >> Paul,
> >> Thanks for the time! I understand what you are saying. I have set:
> >> chcon -R -h -t home_root_t /home
> >> so that the entire path's heirarchy will be consistent,
> >
> > No no, this is wrong. home_root_t is for directories that
> > *contain* home directories, not the home directories and their
> > contents themselves.
> >
> > I'd do a "restorecon -RF /home" to fix that, then put back the
> > contexts on your share areas as you wanted them (e.g.
> > samba_share_t or public_content_rw_t etc.).
>
> Executed:
> restorecon -RF /home
> chcon -R -h -t samba_share_t /home/server1/PHFiles/
>
> > Better still, I'd move your shares from under /home to under /srv
> > if that's a possibility.
>
> Due to partitioning and backup schema, this would not be an ideal
> solution, if avoidable.
>
> > > and then:
> > setsebool -P use_samba_home_dirs 1
>
> Done.

Whoops, I got the wrong boolean. The one you want is
samba_enable_home_dirs, not use_samba_home_dirs. The former allows
samba to serve out home dirs, the latter allows use of home dirs
mounted from a samba server.

> >> Tried connecting, but still unsuccessful, so, output of
> >> audit2allow < /var/log/audit/audit.log is:
> >> #============= smbd_t ==============
> >> allow smbd_t home_root_t:dir { search getattr };
> >> allow smbd_t httpd_sys_content_t:dir search;
> >> Trying to mount /home/server1/PHFiles generates in /var/log/audit/
> >> audit.log:
> >> type=AVC msg=audit(1234540788.851:16207): avc: denied
> >> { search } for pid=26783 comm="smbd" name="/" dev=dm-2 ino=2
> >> scontext=root:system_r:smbd_t:s0
> >> tcontext=system_ubject_r:home_root_t:s0 tclass=dir
> >> type=SYSCALL msg=audit(1234540788.851:16207): arch=c000003e
> >> syscall=4 success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0
> >> a2=7fff19c3c6a0 a3=3 items=0 ppid=17598 pid=26783 auid=0 uid=500
> >> gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500
> >> tty=(none) ses=122 comm="smbd" exe="/usr/sbin/smbd"
> >> subj=root:system_r:smbd_t:s0 key=(null)
> >
> > Contexts need repairing before looking at these again.
>
> New output of audit2allow < /var/log/audit/audit.log is:
>
> #============= smbd_t ==============
> allow smbd_t default_t:dir search;
> allow smbd_t home_root_t:dir { search getattr };
> allow smbd_t httpd_sys_content_t:dir search;
>
>
> New /var/log/audit/audit.log output is:
>
> type=AVC msg=audit(1234559350.144:16265): avc: denied { search }
> for pid=30226 comm="smbd" name="/" dev=dm-2 ino=2
> scontext=root:system_r:smbd_t:s0
> tcontext=system_ubject_r:default_t:s0 tclass=dir
> type=SYSCALL msg=audit(1234559350.144:16265): arch=c000003e
> syscall=4 success=no exit=-13 a0=2b119e17f7d0 a1=7fff19c3c6a0
> a2=7fff19c3c6a0 a3=3 items=0 ppid=17598 pid=30226 auid=0 uid=500
> gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none)
> ses=122 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
> key=(null) type=AVC msg=audit(1234559350.276:16266): avc: denied
> { search } for pid=30229 comm="smbd" name="/" dev=dm-2 ino=2
> scontext=root:system_r:smbd_t:s0
> tcontext=system_ubject_r:default_t:s0 tclass=dir
> type=SYSCALL msg=audit(1234559350.276:16266): arch=c000003e
> syscall=4 success=no exit=-13 a0=2b119e17f7d0 a1=7fff19c3c6a0
> a2=7fff19c3c6a0 a3=3 items=0 ppid=17598 pid=30229 auid=0 uid=500
> gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none)
> ses=122 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
> key=(null)

The root directory of one of the filesystems mounted on your system is
labelled default_t it would seem. See if you can find it and do a
non-recursive restorecon on it.

Also try to find the audit log entry associated with the
httpd_sys_content_t AVC.

> >> Trying to mount /var/www/html generates
> >> in /var/log/audit/audit.log: type=AVC
> >> msg=audit(1234540890.725:16214): avc: denied { search } for
> >> pid=26785 comm="smbd" name="www" dev=dm-3 ino=6815745
> >> scontext=root:system_r:smbd_t:s0
> >> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=dir
> >> type=SYSCALL msg=audit(1234540890.725:16214): arch=c000003e
> >> syscall=4 success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0
> >> a2=7fff19c3c6a0 a3=3 items=0 ppid=17598 pid=26785 auid=0 uid=500
> >> gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500
> >> tty=(none) ses=122 comm="smbd" exe="/usr/sbin/smbd"
> >> subj=root:system_r:smbd_t:s0 key=(null)
> >
> > /var/www is supposed to be readable under httpd only, not samba,
> > so it's normal for these not to work. For both servers to be able
> > to access the files (and samba to write them), you'll need /var/www
> > and everything underneath it to be public_content_rw_t and to set
> > the boolean allow_smbd_anon_write.
>
>
> Success here! Thought I'd tried this previously without success
> (shrug...) However, this time the following worked a charm! Thank
> you for your patience!
>
> chcon -R -h -t public_content_rw_t /var/www
> setsebool -P allow_smbd_anon_write=1
>
> Maybe I had accidentally executed the following without realizing:
> chcon -R -h -t public_content_rw_t /var/www/html
>
> (By way of explanation, this host acts as a web site development
> environment, and having samba access to the web files makes some
> tasks, such as searching and replacing text in multiple files,
> faster and easier for some developers than via sftp or the command
> line.)
>
>
> > If you need CGI scripts rather than just static content and
> > built-in scripting (e.g. PHP) then you'll need a local policy
> > module to allow samba access using the existing httpd_* types
> > instead.
>
> Thanks. I'm aware to set .cgi, .pl, .sh and similar to
> httpd_sys_script_exec_t.

Once you've done that you'll no longer be able to access those files
using samba of course...

Paul.

>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2009, 12:29 PM
Paul Howarth
 
Default SELinux blocking Samba share mounting?

On Fri, 13 Feb 2009 18:04:29 -0500
Steven Stromer <filter@stevenstromer.com> wrote:

>
> On Feb 13, 2009, at 5:30 PM, Paul Howarth wrote:
>
> > On Fri, 13 Feb 2009 16:45:41 -0500
> > Steven Stromer <filter@stevenstromer.com> wrote:
> >
> >>
> >>>> Paul,
> >>>> Thanks for the time! I understand what you are saying. I have
> >>>> set: chcon -R -h -t home_root_t /home
> >>>> so that the entire path's heirarchy will be consistent,
> >>>
> >>> No no, this is wrong. home_root_t is for directories that
> >>> *contain* home directories, not the home directories and their
> >>> contents themselves.
> >>>
> >>> I'd do a "restorecon -RF /home" to fix that, then put back the
> >>> contexts on your share areas as you wanted them (e.g.
> >>> samba_share_t or public_content_rw_t etc.).
> >>
> >> Executed:
> >> restorecon -RF /home
> >> chcon -R -h -t samba_share_t /home/server1/PHFiles/
> >>
> >>> Better still, I'd move your shares from under /home to under /srv
> >>> if that's a possibility.
> >>
> >> Due to partitioning and backup schema, this would not be an ideal
> >> solution, if avoidable.
> >>
> >>>> and then:
> >>> setsebool -P use_samba_home_dirs 1
> >>
> >> Done.
> >
> > Whoops, I got the wrong boolean. The one you want is
> > samba_enable_home_dirs, not use_samba_home_dirs. The former allows
> > samba to serve out home dirs, the latter allows use of home dirs
> > mounted from a samba server.
> >
> >>>> Tried connecting, but still unsuccessful, so, output of
> >>>> audit2allow < /var/log/audit/audit.log is:
> >>>> #============= smbd_t ==============
> >>>> allow smbd_t home_root_t:dir { search getattr };
> >>>> allow smbd_t httpd_sys_content_t:dir search;
> >>>> Trying to mount /home/server1/PHFiles generates
> >>>> in /var/log/audit/ audit.log:
> >>>> type=AVC msg=audit(1234540788.851:16207): avc: denied
> >>>> { search } for pid=26783 comm="smbd" name="/" dev=dm-2 ino=2
> >>>> scontext=root:system_r:smbd_t:s0
> >>>> tcontext=system_ubject_r:home_root_t:s0 tclass=dir
> >>>> type=SYSCALL msg=audit(1234540788.851:16207): arch=c000003e
> >>>> syscall=4 success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0
> >>>> a2=7fff19c3c6a0 a3=3 items=0 ppid=17598 pid=26783 auid=0 uid=500
> >>>> gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500
> >>>> tty=(none) ses=122 comm="smbd" exe="/usr/sbin/smbd"
> >>>> subj=root:system_r:smbd_t:s0 key=(null)
> >>>
> >>> Contexts need repairing before looking at these again.
> >>
> >> New output of audit2allow < /var/log/audit/audit.log is:
> >>
> >> #============= smbd_t ==============
> >> allow smbd_t default_t:dir search;
> >> allow smbd_t home_root_t:dir { search getattr };
> >> allow smbd_t httpd_sys_content_t:dir search;
> >>
> >>
> >> New /var/log/audit/audit.log output is:
> >>
> >> type=AVC msg=audit(1234559350.144:16265): avc: denied { search }
> >> for pid=30226 comm="smbd" name="/" dev=dm-2 ino=2
> >> scontext=root:system_r:smbd_t:s0
> >> tcontext=system_ubject_r:default_t:s0 tclass=dir
> >> type=SYSCALL msg=audit(1234559350.144:16265): arch=c000003e
> >> syscall=4 success=no exit=-13 a0=2b119e17f7d0 a1=7fff19c3c6a0
> >> a2=7fff19c3c6a0 a3=3 items=0 ppid=17598 pid=30226 auid=0 uid=500
> >> gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500
> >> tty=(none) ses=122 comm="smbd" exe="/usr/sbin/smbd"
> >> subj=root:system_r:smbd_t:s0 key=(null) type=AVC
> >> msg=audit(1234559350.276:16266): avc: denied { search } for
> >> pid=30229 comm="smbd" name="/" dev=dm-2 ino=2
> >> scontext=root:system_r:smbd_t:s0
> >> tcontext=system_ubject_r:default_t:s0 tclass=dir type=SYSCALL
> >> msg=audit(1234559350.276:16266): arch=c000003e syscall=4
> >> success=no exit=-13 a0=2b119e17f7d0 a1=7fff19c3c6a0
> >> a2=7fff19c3c6a0 a3=3 items=0 ppid=17598 pid=30229 auid=0 uid=500
> >> gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500
> >> tty=(none) ses=122 comm="smbd" exe="/usr/sbin/smbd"
> >> subj=root:system_r:smbd_t:s0 key=(null)
> >
> > The root directory of one of the filesystems mounted on your system
> > is labelled default_t it would seem. See if you can find it and do a
> > non-recursive restorecon on it.
> >
> > Also try to find the audit log entry associated with the
> > httpd_sys_content_t AVC.
>
>
> Paul, You are the man.
>
> /home was labelled default_t. Changing its label (non-recursively)
> to user_home_dir_t set everything right! I won't even ask how or why
> it 'defaulted' to default_t in the first place. If you've got the
> chance to explain, I'm always ready for a lesson, but, for the
> moment, I am more than pleased to be up and running. Thank you for
> the expert assistance!

I'm at a loss to explain how /home became default_t given that you very
recently did a "restorecon -RF /home" (cited above). Good to hear
everything's working now though.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:07 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org