I am sharing my user home directories to other machines on my LAN using Samba. I have that all working correctly except for one persistent AVC that I keep seeing. Now this AVC is correct in that I really do not want my user's .ssh directories read over SMB so I'd quite like to keep that as-is. But... I get alerts for this all the time so I'd like to know how to add a dontaudit rule for it so that access is denied but I don't get told about it. Ideally I'd like to add a generic rule to catch all user's not have to add one dontaudit rule per user. Just don't have a clue where to start and google was not much use on this so would appreciate some help if anyone has done this before?
SELinux is preventing samba (smbd) "getattr" to /home/$user/.ssh (sshd_key_t).
Source Context: system_u:system_r:smbd_t Target Context: user_u:object_r:sshd_key_t Target Objects: /home/$user/.ssh/config [ file ] Source: smbd Source Path: /usr/sbin/smbd Port: <Unknown> Host: hostname Source RPM Packages: samba-3.0.33-3.15.el5_4.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-255.el5_4.4 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: samba_share Host Name: hostname Platform: Linux hostname 2.6.32.5 #3 SMP Sun Jan 31 03:27:09 GMT 2010 x86_64 x86_64 Alert Count: 1 First Seen: Tue 23 Feb 2010 12:44:47 AM GMT Last Seen: Tue 23 Feb 2010 12:44:47 AM GMT Local ID: 5d933e81-2ab5-4529-8dce-9e554a59f0e3 Line Numbers:
Raw Audit Messages : host=hostname type=AVC msg=audit(1266885887.400:4313): avc: denied { getattr } for pid=16382 comm="smbd" path="/home/$user/.ssh/config" dev=dm-4 ino=10453601 scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:sshd_key_t:s0 tclass=file
host=hostname type=SYSCALL msg=audit(1266885887.400:4313): arch=c000003e syscall=4 success=yes exit=0 a0=7fff2dc9f270 a1=7fff2dc9e9a0 a2=7fff2dc9e9a0 a3=7fff2dc9ee70 items=0 ppid=4352 pid=16382 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
On 23/02/10 00:55, Trevor Hemsley wrote:
I am sharing my user home directories to other machines on my LAN using Samba. I have that all working correctly except for one persistent AVC that I keep seeing. Now this AVC is correct in that I really do not want my user's .ssh directories read over SMB so I'd quite like to keep that as-is. But... I get alerts for this all the time so I'd like to know how to add a dontaudit rule for it so that access is denied but I don't get told about it. Ideally I'd like to add a generic rule to catch all user's not have to add one dontaudit rule per user. Just don't have a clue where to start and google was not much use on this so would appreciate some help if anyone has done this before?
This is easy: just use audit2allow to generate a rule as if you wanted to allow this access, then change the "allow" in the rule to "dontaudit" before compiling and loading your policy module.
Paul.
On 02/22/2010 07:55 PM, Trevor Hemsley wrote:
I am sharing my user home directories to other machines on my LAN using Samba. I have that all working correctly except for one persistent AVC that I keep seeing. Now this AVC is correct in that I really do not want my user's .ssh directories read over SMB so I'd quite like to keep that as-is. But... I get alerts for this all the time so I'd like to know how to add a dontaudit rule for it so that access is denied but I don't get told about it. Ideally I'd like to add a generic rule to catch all user's not have to add one dontaudit rule per user. Just don't have a clue where to start and google was not much use on this so would appreciate some help if anyone has done this before?
SELinux is preventing samba (smbd) "getattr" to /home/$user/.ssh (sshd_key_t).
Source Context: system_u:system_r:smbd_t Target Context: user_u:object_r:sshd_key_t Target Objects: /home/$user/.ssh/config [ file ] Source: smbd Source Path: /usr/sbin/smbd Port:<Unknown> Host: hostname Source RPM Packages: samba-3.0.33-3.15.el5_4.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-255.el5_4.4 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: samba_share Host Name: hostname Platform: Linux hostname 2.6.32.5 #3 SMP Sun Jan 31 03:27:09 GMT 2010 x86_64 x86_64 Alert Count: 1 First Seen: Tue 23 Feb 2010 12:44:47 AM GMT Last Seen: Tue 23 Feb 2010 12:44:47 AM GMT Local ID: 5d933e81-2ab5-4529-8dce-9e554a59f0e3 Line Numbers:
Raw Audit Messages : host=hostname type=AVC msg=audit(1266885887.400:4313): avc: denied { getattr } for pid=16382 comm="smbd" path="/home/$user/.ssh/config" dev=dm-4 ino=10453601 scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:sshd_key_t:s0 tclass=file
host=hostname type=SYSCALL msg=audit(1266885887.400:4313): arch=c000003e syscall=4 success=yes exit=0 a0=7fff2dc9f270 a1=7fff2dc9e9a0 a2=7fff2dc9e9a0 a3=7fff2dc9ee70 items=0 ppid=4352 pid=16382 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
# cat > mysmbd.te << _EOF policy_module(mysmbd, 1.0)
require { type smbd_t; type sshd_key_t; }
dontaudit smbd_t sshd_key_t:file getattr; _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i mysmbd.pp
Thanks everyone that replied. I've added something akin to this and it appears to be working - at least no AVCs for ~18 hours now so I think so.
On 23/02/2010 18:06, Daniel J Walsh wrote:
# cat > mysmbd.te << _EOF policy_module(mysmbd, 1.0)
require { type smbd_t; type sshd_key_t; }
dontaudit smbd_t sshd_key_t:file getattr; _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i mysmbd.pp
selinux@lists.fedoraproject.org