[CentOS] SELinux issue

Mon Jan 21 06:23:08 UTC 2008
Ray Van Dolson <rayvd at bludgeon.org>

Hey all... not exactly an SELinux veteran, but am trying to work
through some issues.

Specifically, setting up a simple Samba configuration on a CentOS 5
machine.  Determined I needed to do 

  setsebool -P samba_enable_home_dirs 1
 
In order to get access to home directory shares working correctly.
Fine; this is documented in samba_selinux(8).

However, I still see the following in my /var/log/audit/audit.log file:

  type=AVC msg=audit(1200895451.310:1231): avc:  denied  { rename } for  pid=24854 comm="smbd" name="smbd.log" dev=dm-0 ino=14254108 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:samba_log_t:s0 tclass=file
  type=SYSCALL msg=audit(1200895451.310:1231): arch=40000003 syscall=38 success=no exit=-13 a0=6155e0 a1=bfb8bf08 a2=60da4c a3=bfb8bf08 items=0 ppid=24848 pid=24854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="smbd" exe="/usr/sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null)

audit2allow suggests I create policy as follows:

  allow smbd_t samba_log_t:file rename;

To resolve the problem.  I decided to just do:

  setsebool -P smbd_disable_trans 1

And this cleared up the errors.

Anyways, is this a bug?  Seems like policy should allow smbd to work
with its own logfiles....

Can file upstream if necessary, but starting here.

Ray