Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 236463

Summary: SELinux strange Samba home dir denial
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: medium    
Version: 6CC: dwalsh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-22 14:13:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Anthony Messina 2007-04-14 15:14:06 UTC
Description of problem:
SELinux logs a denial when Samba tries to access a user's home dir, even though
samba_enable_home_dirs --> on.  It only seems to be bothered by the
.xsession-errors file.

Version-Release number of selected component (if applicable):

How reproducible:
Each time

Steps to Reproduce:
1. Access a user's home dir via Samba (a user who alos uses this home dir for X
Actual results:
avc: denied { getattr } for comm="smbd" dev=md0 egid=503 euid=503
exe="/usr/sbin/smbd" exit=0 fsgid=503 fsuid=503 gid=0 items=0
name=".xsession-errors" path="/home/mmessina/.xsession-errors" pid=9989
scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0 suid=0
tclass=file tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=503

Expected results:
I'm not sure about this error. It didn't seem to happen before.

Additional info:

Comment 1 Daniel Walsh 2007-04-16 14:10:43 UTC
You need to enable the samba_enable_home_dirs boolean.
setsebool -P samba_enable_home_dirs=1

Comment 2 Anthony Messina 2007-04-16 16:39:59 UTC
that's just the trouble, i *do* have samba home dirs enabled.  

Comment 3 Daniel Walsh 2007-04-16 17:15:23 UTC
Ok this is a labeling problem.  For some reason .xsession-errors is labeled

restorecon -v /home/mmessina/.xsession-errors

Should fix the context.  Not sure how it got the wrong context on this file?

Should be user_home_t not user_home_dir_t.

Comment 4 Anthony Messina 2007-04-21 16:29:50 UTC
ok, i relabeled the .xsession-errors file.  in doing so, i found other .* (dot
files) that had the same issue.  logged out, logged back in and the files were
re-created with the user_home_dir_t type.

using selinux-policy-2.4.6-54.fc6

oh, and when i logged in/out, i did that on a linux only machine -- samba was
not involved with this user account.

Comment 5 Daniel Walsh 2007-04-23 14:44:01 UTC
When logged in please run id -Z at the command line?  Are you running in
permissive mode?

Comment 6 Anthony Messina 2007-04-23 16:31:23 UTC
id -Z gives:

i don't think i detailed in the original report that this is over nfs4.  the
server is in permissive mode.  the client is in enforcing mode.

the above id -Z is on the client machine.

Comment 7 Daniel Walsh 2007-05-17 17:11:31 UTC
Fixed in selinux-policy-2.4.6-71.fc6

Comment 8 Daniel Walsh 2007-08-22 14:13:48 UTC
Fixed in current release