Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 236463 - SELinux strange Samba home dir denial
Summary: SELinux strange Samba home dir denial
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-14 15:14 UTC by Anthony Messina
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-08-22 14:13:48 UTC

Attachments (Terms of Use)

Description Anthony Messina 2007-04-14 15:14:06 UTC
Description of problem:
SELinux logs a denial when Samba tries to access a user's home dir, even though
samba_enable_home_dirs --> on.  It only seems to be bothered by the
.xsession-errors file.

Version-Release number of selected component (if applicable):

How reproducible:
Each time

Steps to Reproduce:
1. Access a user's home dir via Samba (a user who alos uses this home dir for X
Actual results:
avc: denied { getattr } for comm="smbd" dev=md0 egid=503 euid=503
exe="/usr/sbin/smbd" exit=0 fsgid=503 fsuid=503 gid=0 items=0
name=".xsession-errors" path="/home/mmessina/.xsession-errors" pid=9989
scontext=root:system_r:smbd_t:s0 sgid=0 subj=root:system_r:smbd_t:s0 suid=0
tclass=file tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=503

Expected results:
I'm not sure about this error. It didn't seem to happen before.

Additional info:

Comment 1 Daniel Walsh 2007-04-16 14:10:43 UTC
You need to enable the samba_enable_home_dirs boolean.
setsebool -P samba_enable_home_dirs=1

Comment 2 Anthony Messina 2007-04-16 16:39:59 UTC
that's just the trouble, i *do* have samba home dirs enabled.  

Comment 3 Daniel Walsh 2007-04-16 17:15:23 UTC
Ok this is a labeling problem.  For some reason .xsession-errors is labeled

restorecon -v /home/mmessina/.xsession-errors

Should fix the context.  Not sure how it got the wrong context on this file?

Should be user_home_t not user_home_dir_t.

Comment 4 Anthony Messina 2007-04-21 16:29:50 UTC
ok, i relabeled the .xsession-errors file.  in doing so, i found other .* (dot
files) that had the same issue.  logged out, logged back in and the files were
re-created with the user_home_dir_t type.

using selinux-policy-2.4.6-54.fc6

oh, and when i logged in/out, i did that on a linux only machine -- samba was
not involved with this user account.

Comment 5 Daniel Walsh 2007-04-23 14:44:01 UTC
When logged in please run id -Z at the command line?  Are you running in
permissive mode?

Comment 6 Anthony Messina 2007-04-23 16:31:23 UTC
id -Z gives:

i don't think i detailed in the original report that this is over nfs4.  the
server is in permissive mode.  the client is in enforcing mode.

the above id -Z is on the client machine.

Comment 7 Daniel Walsh 2007-05-17 17:11:31 UTC
Fixed in selinux-policy-2.4.6-71.fc6

Comment 8 Daniel Walsh 2007-08-22 14:13:48 UTC
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.