Thanks Paul. Your observation that the problem is the ~/.spamassassin directory is very enlightening. Nonetheless - I imagine that in enforcing mode - I will get lots of errors - and possibly samba delays - so it probably still needs fixing. Can y0u suggest why I might have this problem - and how best to fix it?
Richard.
Paul Howarth wrote:
Richard Chapman wrote:
I am running SElinux in permissive mode. I want to allow samba access to user home directories. At setroubleshooters suggestion (see below) - I did the following at a shell prompt:
Ø *setsebool -P samba_enable_home_dirs=1
This seemed to solve the problem. But after a reboot the denials are back. I assume the boolean is not carried across a reboot.
If my assumption is correct - where is the recommended place to put the:
setsebool -P samba_enable_home_dirs=1
command? Should I create a local policy module and put it there - or is there some other recommended place? If anyone can point me to a recommended procedure ...
Thanks
Richard.
You've done what you needed to do already - the -P option makes the boolean persist across reboots.
Summary:
SELinux is preventing the samba daemon from reading users' home directories.
This summary is actually slightly misleading in this case.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux has denied the samba daemon access to users' home directories. Someone is attempting to access your home directories via your samba daemon. If you only setup samba to share non-home directories, this probably signals a intrusion attempt. For more information on SELinux integration with samba, look at the samba_selinux man page. (man samba_selinux)
Allowing Access:
If you want samba to share home directories you need to turn on the samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
The following command will allow this access:
setsebool -P samba_enable_home_dirs=1
Additional Information:
Source Context system_u:system_r:smbd_t Target Context user_u:object_r:spamassassin_home_t Target Objects ./.spamassassin [ dir ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host C5.aardvark.com.au Source RPM Packages samba-3.0.28-1.el5_2.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name samba_enable_home_dirs Host Name C5.aardvark.com.au Platform Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Tue 13 Jan 2009 10:59:19 PM WST Last Seen Tue 13 Jan 2009 10:59:23 PM WST Local ID 70f6525d-ce9d-40a4-a558-c3db06781ae9 Line Numbers Raw Audit Messages host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc: denied { search } for pid=8841 comm="smbd" name=".spamassassin" dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc: denied { search } for pid=8841 comm="smbd" name=".spamassassin" dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc: denied { getattr } for pid=8841 comm="smbd" path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc: denied { getattr } for pid=8841 comm="smbd" path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
These denials are all for the ~/.spamassassin directory and its contents, not the home directory in general. Browsing the majority of the home directory would work just fine in enforcing mode.
Paul.