Hey all... not exactly an SELinux veteran, but am trying to work through some issues.
Specifically, setting up a simple Samba configuration on a CentOS 5 machine. Determined I needed to do
setsebool -P samba_enable_home_dirs 1
In order to get access to home directory shares working correctly. Fine; this is documented in samba_selinux(8).
However, I still see the following in my /var/log/audit/audit.log file:
type=AVC msg=audit(1200895451.310:1231): avc: denied { rename } for pid=24854 comm="smbd" name="smbd.log" dev=dm-0 ino=14254108 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:samba_log_t:s0 tclass=file type=SYSCALL msg=audit(1200895451.310:1231): arch=40000003 syscall=38 success=no exit=-13 a0=6155e0 a1=bfb8bf08 a2=60da4c a3=bfb8bf08 items=0 ppid=24848 pid=24854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="smbd" exe="/usr/sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null)
audit2allow suggests I create policy as follows:
allow smbd_t samba_log_t:file rename;
To resolve the problem. I decided to just do:
setsebool -P smbd_disable_trans 1
And this cleared up the errors.
Anyways, is this a bug? Seems like policy should allow smbd to work with its own logfiles....
Can file upstream if necessary, but starting here.
Ray