Hi,
This is Centos 5.3 fully updated.
Im getting the following error from setroubleshoot
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old (samba_log_t).
when samba tries to rotate the log files.
Running sealert I get the following ( edited )
Summary:
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old (samba_log_t).
Detailed Description:
SELinux denied samba access to ./log.cs244-24.old. If you want to share this directory with samba it has to have a file context label of samba_share_t. If ^^^^^^^^^^^^^ you did not intend to use ./log.cs244-24.old as a samba repository it could indicate either a bug or it could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -R -t samba_share_t './log.cs244-24.old' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t './log.cs244-24.old'"
The following command will allow this access:
chcon -R -t samba_share_t './log.cs244-24.old'
Additional Information:
Source Context root:system_r:smbd_t Target Context root:object_r:samba_log_t Target Objects ./log.cs244-24.old [ file ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host janus.x.y.z Source RPM Packages samba-3.0.33-3.7.el5_3.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name samba_share Host Name janus.x.y.z Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64 Alert Count 53 First Seen Fri Sep 25 15:54:24 2009 Last Seen Tue Sep 29 15:55:25 2009 Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63 Line Numbers
Raw Audit Messages
host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file
host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
log.cs244-24.old is a file not a directory and it's located in the /var/log/samba directory with permissions system_u:object_r:samba_log_t samba
Any ideas,
Tony
On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
Hi,
This is Centos 5.3 fully updated.
Im getting the following error from setroubleshoot
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old (samba_log_t).when samba tries to rotate the log files.
Running sealert I get the following ( edited )
Summary:
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old (samba_log_t).
Detailed Description:
SELinux denied samba access to ./log.cs244-24.old. If you want to share this directory with samba it has to have a file context label of samba_share_t. If ^^^^^^^^^^^^^ you did not intend to use ./log.cs244-24.old as a samba repository it could indicate either a bug or it could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -R -t samba_share_t './log.cs244-24.old' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t './log.cs244-24.old'"
The following command will allow this access:
chcon -R -t samba_share_t './log.cs244-24.old'
Additional Information:
Source Context root:system_r:smbd_t Target Context root:object_r:samba_log_t Target Objects ./log.cs244-24.old [ file ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host janus.x.y.z Source RPM Packages samba-3.0.33-3.7.el5_3.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name samba_share Host Name janus.x.y.z Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64 Alert Count 53 First Seen Fri Sep 25 15:54:24 2009 Last Seen Tue Sep 29 15:55:25 2009 Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63 Line Numbers
Raw Audit Messages
host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file
host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
log.cs244-24.old is a file not a directory and it's located in the /var/log/samba directory with permissions system_u:object_r:samba_log_t samba
Any ideas,
Looks like a valid bug in selinux-policy to me:
echo "avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M mysmbd; /usr/sbin/semodule -i mysmbd.pp
Should grant this particular access vector.
Tony
--
Dept. of Comp. Sci. University of Limerick.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:
On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
Hi,
This is Centos 5.3 fully updated.
Im getting the following error from setroubleshoot
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old (samba_log_t).when samba tries to rotate the log files.
Running sealert I get the following ( edited )
Summary:
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old (samba_log_t).
Detailed Description:
SELinux denied samba access to ./log.cs244-24.old. If you want to share this directory with samba it has to have a file context label of samba_share_t. If ^^^^^^^^^^^^^ you did not intend to use ./log.cs244-24.old as a samba repository it could indicate either a bug or it could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -R -t samba_share_t './log.cs244-24.old' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t './log.cs244-24.old'"
The following command will allow this access:
chcon -R -t samba_share_t './log.cs244-24.old'
Additional Information:
Source Context root:system_r:smbd_t Target Context root:object_r:samba_log_t Target Objects ./log.cs244-24.old [ file ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host janus.x.y.z Source RPM Packages samba-3.0.33-3.7.el5_3.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name samba_share Host Name janus.x.y.z Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64 Alert Count 53 First Seen Fri Sep 25 15:54:24 2009 Last Seen Tue Sep 29 15:55:25 2009 Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63 Line Numbers
Raw Audit Messages
host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file
host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
log.cs244-24.old is a file not a directory and it's located in the /var/log/samba directory with permissions system_u:object_r:samba_log_t samba
Any ideas,
Looks like a valid bug in selinux-policy to me:
echo "avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M mysmbd; /usr/sbin/semodule -i mysmbd.pp
Should grant this particular access vector.
Thanks I generated local policy to allow it.
Regards,
Tony
Tony
--
Dept. of Comp. Sci. University of Limerick.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, Sep 30, 2009 at 2:17 PM, Tony Molloy tony.molloy@ul.ie wrote:
On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:
On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
Hi,
This is Centos 5.3 fully updated.
Im getting the following error from setroubleshoot
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old (samba_log_t).when samba tries to rotate the log files.
Running sealert I get the following ( edited )
Summary:
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old (samba_log_t).
Detailed Description:
SELinux denied samba access to ./log.cs244-24.old. If you want to share this directory with samba it has to have a file context label of samba_share_t. If ^^^^^^^^^^^^^ you did not intend to use ./log.cs244-24.old as a samba repository it could indicate either a bug or it could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -R -t samba_share_t './log.cs244-24.old' You must also change the default file context
files
on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t './log.cs244-24.old'"
The following command will allow this access:
chcon -R -t samba_share_t './log.cs244-24.old'
Additional Information:
Source Context root:system_r:smbd_t Target Context root:object_r:samba_log_t Target Objects ./log.cs244-24.old [ file ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host janus.x.y.z Source RPM Packages samba-3.0.33-3.7.el5_3.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name samba_share Host Name janus.x.y.z Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1
SMP
Mon Aug 24 08:21:56 EDT 2009 x86_64x86_64
Alert Count 53 First Seen Fri Sep 25 15:54:24 2009 Last Seen Tue Sep 29 15:55:25 2009 Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63 Line Numbers
Raw Audit Messages
host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file
host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0
gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
key=(null)
log.cs244-24.old is a file not a directory and it's located in the /var/log/samba directory with permissions system_u:object_r:samba_log_t samba
Any ideas,
Looks like a valid bug in selinux-policy to me:
echo "avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M
mysmbd;
/usr/sbin/semodule -i mysmbd.pp
Should grant this particular access vector.
Thanks I generated local policy to allow it.
In origin what is the result of this. In my system
sesearch -s smbd_t -c file --allow | grep samba_log_t allow smbd_t samba_log_t : file { ioctl read write create getattr setattr lock append unlink link rename }; allow smbd_t samba_log_t : file { ioctl read getattr lock }; allow smbd_t samba_log_t : file { ioctl read write create getattr setattr lock append unlink link rename };
Because i have no problem and in fact unlink is allowed.
Are you sure to have selinux-policy-targeted installed ?
Regards
Regards,
Tony
Tony
--
Dept. of Comp. Sci. University of Limerick.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Dept. of Comp. Sci. University of Limerick.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 09/30/2009 08:37 AM, yersinia wrote:
On Wed, Sep 30, 2009 at 2:17 PM, Tony Molloy tony.molloy@ul.ie wrote:
On Wednesday 30 September 2009 12:18:17 Dominick Grift wrote:
On Wed, Sep 30, 2009 at 10:15:14AM +0100, Tony Molloy wrote:
Hi,
This is Centos 5.3 fully updated.
Im getting the following error from setroubleshoot
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old (samba_log_t).when samba tries to rotate the log files.
Running sealert I get the following ( edited )
Summary:
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old (samba_log_t).
Detailed Description:
SELinux denied samba access to ./log.cs244-24.old. If you want to share this directory with samba it has to have a file context label of samba_share_t. If ^^^^^^^^^^^^^ you did not intend to use ./log.cs244-24.old as a samba repository it could indicate either a bug or it could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -R -t samba_share_t './log.cs244-24.old' You must also change the default file context
files
on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t './log.cs244-24.old'"
The following command will allow this access:
chcon -R -t samba_share_t './log.cs244-24.old'
Additional Information:
Source Context root:system_r:smbd_t Target Context root:object_r:samba_log_t Target Objects ./log.cs244-24.old [ file ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host janus.x.y.z Source RPM Packages samba-3.0.33-3.7.el5_3.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name samba_share Host Name janus.x.y.z Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1
SMP
Mon Aug 24 08:21:56 EDT 2009 x86_64x86_64
Alert Count 53 First Seen Fri Sep 25 15:54:24 2009 Last Seen Tue Sep 29 15:55:25 2009 Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63 Line Numbers
Raw Audit Messages
host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file
host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0 items=0 ppid=3787 pid=27420 auid=0 uid=0
gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0
key=(null)
log.cs244-24.old is a file not a directory and it's located in the /var/log/samba directory with permissions system_u:object_r:samba_log_t samba
Any ideas,
Looks like a valid bug in selinux-policy to me:
echo "avc: denied { unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5 ino=164076 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file" | audit2allow -M
mysmbd;
/usr/sbin/semodule -i mysmbd.pp
Should grant this particular access vector.
Thanks I generated local policy to allow it.
In origin what is the result of this. In my system
sesearch -s smbd_t -c file --allow | grep samba_log_t allow smbd_t samba_log_t : file { ioctl read write create getattr setattr lock append unlink link rename }; allow smbd_t samba_log_t : file { ioctl read getattr lock }; allow smbd_t samba_log_t : file { ioctl read write create getattr setattr lock append unlink link rename };
Because i have no problem and in fact unlink is allowed.
Are you sure to have selinux-policy-targeted installed ?
Regards
Regards,
Tony
Tony
--
Dept. of Comp. Sci. University of Limerick.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Dept. of Comp. Sci. University of Limerick.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is definitely fixed in 5.4 policy.
5.5 policy is now previewing at http://people.redhat.com/dwalsh/SELinux/RHEL5
On Wednesday 30 September 2009 18:32:21 Daniel J Walsh wrote:
This is definitely fixed in 5.4 policy.
5.5 policy is now previewing at http://people.redhat.com/dwalsh/SELinux/RHEL5
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Thanks Daniel, as I said I generated a local policy so the messages are no longer clogging up the logs. I'll have a look at the latest policy.
Regards,
Tony
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Tony Molloy -
yersinia