SELinux problems with new LVM Volume and Samba

Support for security such as Firewalls and securing linux

SELinux problems with new LVM Volume and Samba

Postby richard_chapman » 2010/04/10 15:42:32

I have a server which has been running SELinux (Permissive) on a Centos 5.4 with very few AVCs for months.
I have cloned the system from a complete system tar backup, then relabelled the entire file-system. At that point the cloned system was running fine too.
I then created a new LVM volume called 'data' on the clone and mounted it /mnt/data and created a samba share folder in this mounted file-system.
Now any attempt to access the samba share generates these AVCs (see below):
I have tried auto relabelling which didn't help - possibly because the new filesystem wasn't mounted at boot time.
I have also tried "fixfiles restore" - which appeared to relabel everything - including /mnt/data but the problem persists. I have also tried several variants of restorecon - including:
restorecon -Rv /mnt/data - which produced neither error nor output.

But still the problem persists.

Is there somewhere I have to define the correct default contexts for the new volume? Is there some other way I need to tell restorcon the correct context for the new filesystem? Is there some step I am missing?

I have re-read the SELinux wiki - and have tried all the suggestions I could find. I am still unclear on how SELinux relabelling decides on the correct default context for all the files. An explanation of how this works might help me to diagnose this problem.

Thanks Centos for a great product with great support...

Richard.

Summary
SELinux is preventing access to files with the label, file_t.
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]

SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a new disk drive to the system you can relabel it using the restorecon command. Otherwise you should relabel the entire files system.
Allowing Access
You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot"
Additional Information
Source Context: system_u:system_r:smbd_t
Target Context: system_u:object_r:file_t
Target Objects: ./test.txt [ file ]
Source: smbd
Source Path: /usr/sbin/smbd
Port:
Host: c5.thebigpicturefactory.com.au
Source RPM Packages: samba-3.0.33-3.15.el5_4.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-255.el5_4.4
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: file
Host Name: c5.thebigpicturefactory.com.au
Platform: Linux c5.thebigpicturefactory.com.au 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:30:06 EDT 2010 x86_64 x86_64
Alert Count: 1
First Seen: Sat Apr 10 22:14:07 2010
Last Seen: Sat Apr 10 22:14:07 2010
Local ID: 1c40f507-6a84-435e-984d-cfe04eeed881
Line Numbers:

Raw Audit Messages :

host=c5.thebigpicturefactory.com.au type=AVC msg=audit(1270908847.367:559): avc: denied { read } for pid=6099 comm="smbd" name="test.txt" dev=dm-2 ino=94060547 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
host=c5.thebigpicturefactory.com.au type=SYSCALL msg=audit(1270908847.367:559): arch=c000003e syscall=2 success=yes exit=27 a0=7ffff5f404d0 a1=0 a2=0 a3=10 items=0 ppid=3125 pid=6099 auid=4294967295 uid=504 gid=0 euid=504 suid=0 fsuid=504 egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
richard_chapman
 
Posts: 251
Joined: 2006/09/08 02:54:11

Re: SELinux problems with new LVM Volume and Samba

Postby chuina » 2010/04/10 16:33:31

Have you tried the suggested one as 'root':
Code: Select all
touch /.autorelabel; reboot
chuina
 
Posts: 355
Joined: 2009/12/11 10:25:56

Re: SELinux problems with new LVM Volume and Samba

Postby TrevorH » 2010/04/11 00:17:01

If you have mounted the file system under /mnt/data then that's not a 'standard' path that will be known by selinux and you will probably need to tell it about it before you can relabel correctly. You need to use semanage to add the mount point to the list and tell the system what label to apply to it or it'll get labeled with something default that will not work (as you discovered). So I have my Samba shares mounted under /shares and this is what I have
Code: Select all
# semanage fcontext -l | grep '^/shares'
/shares                                            directory          system_u:object_r:public_content_t:s0
/shares(/.*)?                                      all files          system_u:object_r:samba_share_t:s0

That's achieved by running
Code: Select all
/usr/sbin/semanage fcontext -a -f-d -t public_content_t '/shares'
/usr/sbin/semanage fcontext -a -t samba_share_t '/shares(/.*)?'
/sbin/restorecon -RF /shares/

You may not need the public_content_t on your top level dir - I need this because there is a directory there that is also used by Apache.
User avatar
TrevorH
Forum Moderator
 
Posts: 9167
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux problems with new LVM Volume and Samba

Postby richard_chapman » 2010/04/11 08:39:30

Hi and thanks Chuina and Trevor
I had tried the "touch... " autorelabelling - and it wasn't helpful - and I now think I realise why.
Trevor's explanation and suggestion solved my problem. Many thanks. I have also created a "share" folder in the root for mounting volumes for samba shares - and now I realise that the relabelling uses specifications given to it by semanage... now it all make sense - or at least a lot more sense...:-)


Richard.
richard_chapman
 
Posts: 251
Joined: 2006/09/08 02:54:11

Re: SELinux problems with new LVM Volume and Samba

Postby e-ghost » 2010/07/30 08:31:29

hi guys, 1st post in here and really need your expertise help~ :-)

I've just encountered this issue so was googled to here. What my env is:

I have created a new logic volume /dev/VolGroup00/LogVol02, then format it as JFS.

ls -dZ /dev/VolGroup00/LogVol02
lrwxrwxrwx root root system_u:object_r:device_t /dev/VolGroup00/LogVol02 -> /dev/mapper/VolGroup00-LogVol02


Then I created a mount point /www, before mount,it is:

ls -dZ /www
drwx--x--x root root root:object_r:default_t /www


then I mount the new LV to it by:
mount -o noatime -t jfs /dev/VolGroup00/LogVol02 /u


it became:
ls -dZ /www
drwx--x--x root root system_u:object_r:file_t /www


If I then:
/usr/sbin/semanage fcontext -a -f-d -t samba_share_t '/www'
/usr/sbin/semanage fcontext -a -t samba_share_t '/www(/.*)?'
/sbin/restorecon -RFv /www


I will get the CURRENT EXISTED files change to samba_share_t. But whenever I copy new file on this /www samba share drive, it will just create an empty file with the name and prompt error. ls -dZ will see all the newly created file will have "file_t" so samba cannot fill data into it.

Is this the problem caused from the LVM logical volume? 'cause if I create another root folder called /www1, all new files in it will be default_t. But all the new file contained by that LV will be "file_t". Is it because SELinux does not has knowledge of this device so labeled everything in it be "file_t"? Anyway I can change this behavior?

Many thanks!! :-(
e-ghost
 
Posts: 7
Joined: 2010/07/30 01:41:37

Re: SELinux problems with new LVM Volume and Samba

Postby TrevorH » 2010/07/30 15:26:26

What does your ls -dZ /www say now?
User avatar
TrevorH
Forum Moderator
 
Posts: 9167
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux problems with new LVM Volume and Samba

Postby e-ghost » 2010/08/02 02:29:20

Hi TrevorH thanks for your reply! :-)

by now:

ls -dZ /www
drwx--x--x root root system_u:object_r:samba_share_t /www


actually all the files and directories existed before I run /usr/sbin/semanage fcontext -a -f-d -t samba_share_t '/www' & /usr/sbin/semanage fcontext -a -t samba_share_t '/www(/.*)?' has changed to be "samba_share_t". But all the files and directories create afterward will has initial label as "file_t" as long as the /www was mounted to the LV. If I umount /www and ls -dZ, I will see the label is "default_t".....

So strange.... I don't know how to let SELinux recognise the new LV and don't give any "file_t" for the files and directories created on it. Otherwise, samba on it cannot only be read-only -- cannot write anything on it.

Please help! Thanks a lot!! :-P
e-ghost
 
Posts: 7
Joined: 2010/07/30 01:41:37

Re: SELinux problems with new LVM Volume and Samba

Postby e-ghost » 2010/08/03 08:26:59

I tried to:

vi /etc/selinux/targeted/contexts/files/file_contexts

/www/htdocs(/.*)? system_u:object_r:httpd_sys_content_t:s0
/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0
/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
/www(/.*)?/logs(/.*)? system_u:object_r:httpd_log_t:s0


but all the new files (say, cache files of framework) on htdocs created by webserver itself will be "file_t".
But if i manually run /sbin/restorecon -RFv /www then it will be changed from "file_t" to "httpd_sys_content_t".

So is there any place I can set so that all the correct SELinux label will be given to the files rigth when they were created / uploaded? (as a default place of that location?)

Many thanks!
e-ghost
 
Posts: 7
Joined: 2010/07/30 01:41:37

Re: SELinux problems with new LVM Volume and Samba

Postby TrevorH » 2010/08/03 10:06:16

Do you have the restorecond service running?

Code: Select all
service restorecond status
User avatar
TrevorH
Forum Moderator
 
Posts: 9167
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux problems with new LVM Volume and Samba

Postby e-ghost » 2010/08/03 18:11:08

yes restorecond was enabled as service all along. thx!
e-ghost
 
Posts: 7
Joined: 2010/07/30 01:41:37

Next

Return to CentOS 5 - Security Support

Who is online

Users browsing this forum: No registered users and 0 guests