Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running CentOS 6.2 with SELinux in enforcing mode. I have a Samba server running which is accessed by a Win XP virtual machine running on the same hardware under VMWare player. I "allowed" Samba in SELinux thusly:
My knowledge of SELinux is a bit limited, but here is what I think based upon your problem statement:
SELinux assigned contexts (user, role, type if I recall correctly) to an item and it is designed to allow actions associated with similar contexts. In your case, you have made (or at least attempted to make) these two samba_shares, of type samba_share_t. It would appear that write access is being attempted from something of a different context and that there does not exist a rule to allow it. BTW, by default, everything is denied.
I would recommend 1, looking at the AVC in your log to see if this gives you a better clue as to what is wrong. Look for a mismatch between the contexts of the access request and the resource. 2, analyze these rules with audit2alllow, which sometimes will give you more information on the problem as well as some suggestsions, which may involve writing a custom rule set.
Also, one thing I have noticed is that new files tend to have a generic context associated with them. Sometimes copying an existing file or directory and then changing it makes your life easier.
You can also look at the SELinux contexts of the files by using the ls -Z flag. This may show something configured in a manner that is unexpected.
My knowledge of SELinux is very limited but at least I did not simply throw in the towel and disable it. That seems to be the top hit on SELinux searches - how do I disable... sad. That said, I dug into the audit.log and found the entry for the offending event. I have parsed it out
I also recalled that at about this time I had to reboot the PC due to a HARD lockup which I believed was caused by Firefox accessing reuters.com. This has happened a couple of other times - but that is another story. I reproduced the SELinux offense above as follows:
1 - reboot the PC
2 - start the Win XP virtual machine
3 - login to the XP virtual machine (which does a "reconnect at logon" to the two Samba shares)
I then see the identical offense recorded in the log (with the current time of course). It looks like the Samba process is trying to write to something but I have not a clue what it is.
For my next trick I disconnected the Samba shares from the XP virtual machine and rebooted it. I then logged into XP but the Samba shares were not connected. This time I do not see a new SELinux offense recorded.
I manually "map network drive" from the XP virtual machine to the Samba share /data. I see an offense recorded. I connect to the second share, /quitelarge, and do NOT see an offense recorded. I then disconnect both connections. I map to /quitelarge again. This time I DO see an offense recorded.
From this testing I conclude that the FIRST connection from a Windows machine to a Samba share on the CentOS server causes the offense. It appears that SELinux permissions on the shares are OK. I guess I need to focus on Object Class = key as Samba seems to be trying to write something when if first receives a request for a connection.
I don't know if SELinux policy changed that much but doesn't the role look a bit odd? In Centos 5.8 'find /some/path -context "*:system_r:*";' doesn't return anything.
Could you at least 'getsebool -a' and list your samba|smbd booleans, set the role to "object_r" on /data and /quitelarge, rerun your tests and see what 'cat /var/log/audit.log|audit2allow' returns?
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
allow_smbd_anon_write --> off
It seems that the two directories in question are already object_r
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.