FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-22-2009, 09:38 AM
Per Sjoholm
 
Default samba nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)

On CentOS 5.2
The server is answering on different netbios names.
SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)
in smb.conf the include files is in 2 halves. One for global config and one for shares/aliases
I have include = /etc/samba/smb.%L.alias to get differnt shares/alias depending netbios name
the alias contains
[name]
...
[name2]
...

I link asen20 to ASEN20 to allow netbios name
# ls -Z /etc/samba/smb*
-r--r--r-- root root rootbject_r:samba_etc_t /etc/samba/smb.asen20.alias
lrwxrwxrwx root root rootbject_r:samba_etc_t /etc/samba/smb.ASEN20.alias -> smb.asen20.alias

/var/log/message
Feb 22 11:18:29 dox nmbd[4689]: become_domain_master_browser_bcast: querying subnet 192.168.1.6 for domain master
browser on workgroup OASEN
Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote
clients. For complete SELinux messages. run sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76

Feb 22 11:18:31 dox last message repeated 2 times
Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t). For
complete SELinux messages. run sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb


setting setsebool -P samba_export_all_ro=1 as advised in sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
does not help

# sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76

Summary:

SELinux is preventing the samba daemon from serving r/o local files to remote
clients.

Detailed Description:

SELinux has preventing the samba daemon (smbd) from reading files on the local
system. If you have not exported these file systems, this could signals an
intrusion.

Allowing Access:

If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".

The following command will allow this access:

setsebool -P samba_export_all_ro=1

Additional Information:

Source Context root:system_r:smbd_t
Target Context rootbject_r:samba_etc_t
Target Objects smb.ASEN20.alias [ lnk_file ]
Source smbd
Source Path /usr/sbin/smbd
Port <Unknown>
Host dox.oasen.dyndns.org
Source RPM Packages samba-3.0.28-1.el5_2.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name samba_export_all_ro
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 6
First Seen Sun Feb 22 11:01:48 2009
Last Seen Sun Feb 22 11:18:29 2009
Local ID 55450fa9-b52d-4224-ad52-58b0b9fc4b76
Line Numbers

Raw Audit Messages

host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.562:32001): avc: denied { read } for pid=4685 comm="smbd"
name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:smbd_t:s0 tcontext=rootbject_r:samba_etc_t:s0
tclass=lnk_file


host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.562:32001): arch=c000003e syscall=4 success=no exit=-13
a0=7fffa6dcac10 a1=7fffa6dcab60 a2=7fffa6dcab60 a3=2b560ee731f0 items=0 ppid=4684 pid=4685 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
key=(null)



# sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb

Summary:

SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t).

Detailed Description:

SELinux denied access requested by nmbd. It is not expected that this access is
required by nmbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for smb.ASEN20.alias,

restorecon -v 'smb.ASEN20.alias'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context root:system_r:nmbd_t
Target Context rootbject_r:samba_etc_t
Target Objects smb.ASEN20.alias [ lnk_file ]
Source nmbd
Source Path /usr/sbin/nmbd
Port <Unknown>
Host dox.oasen.dyndns.org
Source RPM Packages samba-3.0.28-1.el5_2.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name dox.oasen.dyndns.org
Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count 6
First Seen Sun Feb 22 11:01:48 2009
Last Seen Sun Feb 22 11:18:29 2009
Local ID 350c8d95-e127-4a23-b2a1-455771106aeb
Line Numbers

Raw Audit Messages

host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.628:32004): avc: denied { read } for pid=4688 comm="nmbd"
name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:nmbd_t:s0 tcontext=rootbject_r:samba_etc_t:s0
tclass=lnk_file


host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.628:32004): arch=c000003e syscall=4 success=no exit=-13
a0=7fffca8af300 a1=7fffca8af250 a2=7fffca8af250 a3=0 items=0 ppid=4687 pid=4688 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)









--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-22-2009, 10:29 AM
Dominick Grift
 
Default samba nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)

On Sun, 2009-02-22 at 11:38 +0100, Per Sjoholm wrote:
> On CentOS 5.2
> The server is answering on different netbios names.
> SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t)
> in smb.conf the include files is in 2 halves. One for global config and one for shares/aliases
> I have include = /etc/samba/smb.%L.alias to get differnt shares/alias depending netbios name
> the alias contains
> [name]
> ...
> [name2]
> ...
>
> I link asen20 to ASEN20 to allow netbios name
> # ls -Z /etc/samba/smb*
> -r--r--r-- root root rootbject_r:samba_etc_t /etc/samba/smb.asen20.alias
> lrwxrwxrwx root root rootbject_r:samba_etc_t /etc/samba/smb.ASEN20.alias -> smb.asen20.alias
>
> /var/log/message
> Feb 22 11:18:29 dox nmbd[4689]: become_domain_master_browser_bcast: querying subnet 192.168.1.6 for domain master
> browser on workgroup OASEN
> Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote
> clients. For complete SELinux messages. run sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> Feb 22 11:18:31 dox last message repeated 2 times
> Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t). For
> complete SELinux messages. run sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
>
> setting setsebool -P samba_export_all_ro=1 as advised in sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> does not help
>
> # sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
>
> Summary:
>
> SELinux is preventing the samba daemon from serving r/o local files to remote
> clients.
>
> Detailed Description:
>
> SELinux has preventing the samba daemon (smbd) from reading files on the local
> system. If you have not exported these file systems, this could signals an
> intrusion.
>
> Allowing Access:
>
> If you want to export file systems using samba you need to turn on the
> samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
>
> The following command will allow this access:
>
> setsebool -P samba_export_all_ro=1
>
> Additional Information:
>
> Source Context root:system_r:smbd_t
> Target Context rootbject_r:samba_etc_t
> Target Objects smb.ASEN20.alias [ lnk_file ]
> Source smbd
> Source Path /usr/sbin/smbd
> Port <Unknown>
> Host dox.oasen.dyndns.org
> Source RPM Packages samba-3.0.28-1.el5_2.1
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name samba_export_all_ro
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 6
> First Seen Sun Feb 22 11:01:48 2009
> Last Seen Sun Feb 22 11:18:29 2009
> Local ID 55450fa9-b52d-4224-ad52-58b0b9fc4b76
> Line Numbers
>
> Raw Audit Messages
>
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.562:32001): avc: denied { read } for pid=4685 comm="smbd"
> name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:smbd_t:s0 tcontext=rootbject_r:samba_etc_t:s0
> tclass=lnk_file
try this:

echo "type=AVC msg=audit(1235297909.562:32001): avc: denied { read }
for pid=4685 comm="smbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782
scontext=root:system_r:smbd_t:s0 tcontext=rootbject_r:samba_etc_t:s0
tclass=lnk_file" | audit2allow -M mysmbd; sudo /usr/sbin/semodule -i
mysmbd.pp

> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.562:32001): arch=c000003e syscall=4 success=no exit=-13
> a0=7fffa6dcac10 a1=7fffa6dcab60 a2=7fffa6dcab60 a3=2b560ee731f0 items=0 ppid=4684 pid=4685 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
> key=(null)
>
>
> # sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
>
> Summary:
>
> SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t).
>
> Detailed Description:
>
> SELinux denied access requested by nmbd. It is not expected that this access is
> required by nmbd and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for smb.ASEN20.alias,
>
> restorecon -v 'smb.ASEN20.alias'
>
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context root:system_r:nmbd_t
> Target Context rootbject_r:samba_etc_t
> Target Objects smb.ASEN20.alias [ lnk_file ]
> Source nmbd
> Source Path /usr/sbin/nmbd
> Port <Unknown>
> Host dox.oasen.dyndns.org
> Source RPM Packages samba-3.0.28-1.el5_2.1
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name dox.oasen.dyndns.org
> Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count 6
> First Seen Sun Feb 22 11:01:48 2009
> Last Seen Sun Feb 22 11:18:29 2009
> Local ID 350c8d95-e127-4a23-b2a1-455771106aeb
> Line Numbers
>
> Raw Audit Messages
>
> host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.628:32004): avc: denied { read } for pid=4688 comm="nmbd"
> name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:nmbd_t:s0 tcontext=rootbject_r:samba_etc_t:s0
> tclass=lnk_file
And this:

echo "type=AVC msg=audit(1235297909.628:32004): avc: denied { read }
for pid=4688 comm="nmbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782
scontext=root:system_r:nmbd_t:s0 tcontext=rootbject_r:samba_etc_t:s0
tclass=lnk_file" | audit2allow -M mynmbd; sudo /usr/sbin/semodule -i
mynmbd.pp

(mind the line breaks)

> host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.628:32004): arch=c000003e syscall=4 success=no exit=-13
> a0=7fffca8af300 a1=7fffca8af250 a2=7fffca8af250 a3=0 items=0 ppid=4687 pid=4688 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)
>
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 08:48 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org