Need help interpreting this SELinux log entry

taylorkh · 07-26-2012, 08:45 AM

I am running CentOS 6.2 with SELinux in enforcing mode. I have a Samba server running which is accessed by a Win XP virtual machine running on the same hardware under VMWare player. I "allowed" Samba in SELinux thusly:

Quote:

[root@taylor12 ken]# semanage fcontext -a -t samba_share_t '/data(/.*)?'
[root@taylor12 ken]# semanage fcontext -a -t samba_share_t '/quitelarge(/.*)?'
[root@taylor12 ken]# restorecon -R /data
[root@taylor12 ken]# restorecon -R /quitelarge

/data and /quitelarge being my Samba share points.

This AM I observed a message in the /var/log/audit.log which when viewed with the aid of seaudit shows the following:

Message: Denied
Source Type: smbd_t
Target Type: smbd_t
Object class: key
Permission: write

Can someone help me to determine what this means (and what I tried to do but was not allowed to)?

TIA,

Ken

Noway2 · 07-26-2012, 09:08 AM

My knowledge of SELinux is a bit limited, but here is what I think based upon your problem statement:
SELinux assigned contexts (user, role, type if I recall correctly) to an item and it is designed to allow actions associated with similar contexts. In your case, you have made (or at least attempted to make) these two samba_shares, of type samba_share_t. It would appear that write access is being attempted from something of a different context and that there does not exist a rule to allow it. BTW, by default, everything is denied.

I would recommend 1, looking at the AVC in your log to see if this gives you a better clue as to what is wrong. Look for a mismatch between the contexts of the access request and the resource. 2, analyze these rules with audit2alllow, which sometimes will give you more information on the problem as well as some suggestsions, which may involve writing a custom rule set.

Also, one thing I have noticed is that new files tend to have a generic context associated with them. Sometimes copying an existing file or directory and then changing it makes your life easier.

You can also look at the SELinux contexts of the files by using the ls -Z flag. This may show something configured in a manner that is unexpected.

taylorkh · 07-26-2012, 12:55 PM

Thanks Noway2,

My knowledge of SELinux is very limited but at least I did not simply throw in the towel and disable it. That seems to be the top hit on SELinux searches - how do I disable... sad. That said, I dug into the audit.log and found the entry for the offending event. I have parsed it out

Quote:

type=AVC msg=audit(1343305377.721:55):
avc: denied { write } for pid=5434 comm="smbd"
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:system_r:smbd_t:s0
tclass=key

I also recalled that at about this time I had to reboot the PC due to a HARD lockup which I believed was caused by Firefox accessing reuters.com. This has happened a couple of other times - but that is another story. I reproduced the SELinux offense above as follows:

1 - reboot the PC
2 - start the Win XP virtual machine
3 - login to the XP virtual machine (which does a "reconnect at logon" to the two Samba shares)

I then see the identical offense recorded in the log (with the current time of course). It looks like the Samba process is trying to write to something but I have not a clue what it is.

For my next trick I disconnected the Samba shares from the XP virtual machine and rebooted it. I then logged into XP but the Samba shares were not connected. This time I do not see a new SELinux offense recorded.

I manually "map network drive" from the XP virtual machine to the Samba share /data. I see an offense recorded. I connect to the second share, /quitelarge, and do NOT see an offense recorded. I then disconnect both connections. I map to /quitelarge again. This time I DO see an offense recorded.

From this testing I conclude that the FIRST connection from a Windows machine to a Samba share on the CentOS server causes the offense. It appears that SELinux permissions on the shares are OK. I guess I need to focus on Object Class = key as Samba seems to be trying to write something when if first receives a request for a connection.

Ken

unSpawn · 07-28-2012, 12:41 PM

I don't know if SELinux policy changed that much but doesn't the role look a bit odd? In Centos 5.8 'find /some/path -context "*:system_r:*";' doesn't return anything.

taylorkh · 07-28-2012, 01:13 PM

If I execute

Quote:

find / -context *:system_r:*

I get everything under /proc e.g.

Quote:

/proc/1
/proc/1/task
/proc/1/task/1
/proc/1/task/1/fd
/proc/1/task/1/fd/0
/proc/1/task/1/fd/1
/proc/1/task/1/fd/2
/proc/1/task/1/fd/3
/proc/1/task/1/fd/4
/proc/1/task/1/fd/5
/proc/1/task/1/fd/6
/proc/1/task/1/fd/7
/proc/1/task/1/fd/9
/proc/1/task/1/fdinfo
...
/proc/32756/wchan
/proc/32756/stack
/proc/32756/schedstat
/proc/32756/cpuset
/proc/32756/cgroup
/proc/32756/oom_score
/proc/32756/oom_adj
/proc/32756/oom_score_adj
/proc/32756/loginuid
/proc/32756/sessionid
/proc/32756/coredump_filter
/proc/32756/io

Ken

unSpawn · 07-28-2012, 02:16 PM

OK, but nothing outside of the /proc VFS, right? "object_r" being the default role AFAIK.

taylorkh · 07-28-2012, 04:21 PM

Nothing outside of /prog. That is true.

Ken

unSpawn · 07-28-2012, 05:25 PM

Could you at least 'getsebool -a' and list your samba|smbd booleans, set the role to "object_r" on /data and /quitelarge, rerun your tests and see what 'cat /var/log/audit.log|audit2allow' returns?

taylorkh · 07-29-2012, 07:42 AM

As requested, here are my Samba booleans

Quote:

samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off

allow_smbd_anon_write --> off

It seems that the two directories in question are already object_r

Quote:

d---rwxrwx. root root system_u : object_r : samba_share_t : s0 data
drwxr-xr-x. ken root system_u : object_r : samba_share_t : s0 quitelarge

Ken