Thanks for the tremendous feedback so far, I appreciate it! I hope this is not bad form, but I would like to answer my own question, but then I have more questions. The error below shows that Samba SMB service could not access 'home' which turns out to be /home.

System #ls -ldZ /home drwxr-xr-x root root system_u:object_r:home_root_t /home

For some reason smbd_t cannot access home_root_t. So I did a chcon on /home which fixed the problem. My question is, by fixing the error have I made Samba more insecure, was this a bug, is there something I could do instead?

chcon system_u:object_r:user_home_dir_t /home

Thanks!

lance

type=AVC msg=audit(1199209100.230:984): avc: denied { read } for pid=26929 comm="smbd" name="home" dev=sdb1 ino=92504065 scontext=user_u:system_r:smbd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

type=SYSCALL msg=audit(1199209100.230:984): arch=40000003 syscall=5 success=no exit=-13 a0=93f9288 a1=18800 a2=bf85dccc a3=93f9268 items=0 ppid=22310 pid=26929 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="smbd" exe="/usr/ sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null)

...

PS: Is there anyway to configure SELinux/auditd to use regular dates, as sylogd does?

Stop looking at audit logs directly. (I'll leave the policy questions to the policy people, sorry)

ausearch -m AVC -i

Very cool, thanks! One other outstanding suggestion I received was the RPM pkg 'setroubleshoot'. It does a mind blowing / amazing job of taking AVC error messages and explaining to you exactly what they mean and suggested actions. Not only does it help troubleshooting, but it helps to better understand SElinux in general. Now only if there was such a utlity for the rest of Linux logging (dmesg anyone? :).

Thanks!

lance

Summary SELinux is preventing /usr/sbin/named (named_t) "getattr" access to /dev/random (tmpfs_t).

Detailed Description SELinux denied access requested by /usr/sbin/named. It is not expected that this access is required by /usr/sbin/named and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/random, restorecon -v /dev/random. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "named_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P named_disable_trans=1."

The following command will allow this access: setsebool -P named_disable_trans=1

Additional Information

Source Context user_u:system_r:named_t Target Context system_u:object_r:tmpfs_t Target Objects /dev/random [ chr_file ] Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled Enforcing Mode Plugin Name plugins.disable_trans Host Name Platform Alert Count 1 Line Numbers 1689,1690

Raw Audit Messages

avc: denied { getattr } for comm="named" dev=sdb1 egid=25 euid=25 exe="/usr/sbin/named" exit=-13 fsgid=25 fsuid=25 gid=25 items=0 path="/dev/random" pid=10791 scontext=user_u:system_r:named_t:s0 sgid=25 subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25