SELinux blocking file sharing

yaperp · #1 24th December 2007, 09:25 PM

when i use samba to share a folder with the following command:

Code:

net usershare add share_1 /home/dennis/Desktop/junk "" dennis:F guest_ok=y

settroubleshoot tells me:

Code:

Summary
    SELinux is preventing /usr/bin/net (samba_net_t) "read" to <Unknown>
    (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/bin/net. It is not expected that
    this access is required by /usr/bin/net and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                unconfined_u:system_r:samba_net_t:s0-s0:c0.c1023
Target Context                system_u:object_r:samba_share_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         samba-common-3.0.28-0.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-72.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     desk1.home
Platform                      Linux desk1.home 2.6.23.9-85.fc8 #1 SMP Fri Dec 7
                              15:49:36 EST 2007 x86_64 x86_64
Alert Count                   37
First Seen                    Mon 24 Dec 2007 09:48:44 AM EST
Last Seen                     Mon 24 Dec 2007 04:20:26 PM EST
Local ID                      c3e737fd-f50c-4192-9d35-cc74a7a57c31
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=net dev=dm-0 egid=500 euid=500 exe=/usr/bin/net
exit=-13 fsgid=500 fsuid=500 gid=500 items=0 name=usershares pid=4511
scontext=unconfined_u:system_r:samba_net_t:s0-s0:c0.c1023 sgid=500
subj=unconfined_u:system_r:samba_net_t:s0-s0:c0.c1023 suid=500 tclass=dir
tcontext=system_u:object_r:samba_share_t:s0 tty=(none) uid=500

when selinux is in permissive mode, I can share this folder. In Enforcing mode I can not.

The following is the security contex of /var/lib/samba/usershares

Code:

drwxrwx--T  root dennis system_u:object_r:samba_share_t:s0 usershares

contents of /etc/selinux/targeted/modules/active/booleans.local

Code:

use_nfs_home_dirs=1
use_samba_home_dirs=1
samba_enable_home_dirs=1
samba_export_all_rw=0
samba_export_all_ro=0

Any help would be appreciated.

Frank616 · #2 25th December 2007, 12:51 AM

I am a junior member here who is also searching this forum trying to get Samba to work. I came across this post saying that unless you are using SELinux in permissive mode, you won't get a connection. Maybe something there will help you.

http://forums.fedoraforum.org/forum/...+configuration

Frank.