Home / server / Questions / 799808
Accepted
bgStack15
Asked: 2016-08-30 09:50:57 +0800 CST

SELinux allow samba to read /var/log

  • 772

TL;DR

SELinux is blocking samba from reading /var/log and all contents

Problem

With SELinux disabled, my samba users (sssd/kerberos joined to AD 2008 R2) can browse my shared directory /var/log. With SELinux enabled, it doesn't work.

My /var/log/messages snippet

Aug 29 13:28:38 servername kernel: [11625.509586] type=1400 audit(1472491718.859:35): avc:  denied  { read } for  pid=7492 comm="smbd" name="spamfilter-all.log" dev="dm-3" ino=26 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=lnk_file
Aug 29 13:28:38 servername kernel: [11625.626225] type=1400 audit(1472491718.975:36): avc:  denied  { getattr } for  pid=7492 comm="smbd" path="/var/log/remote/192.168.11.1" dev="dm-3" ino=1966096 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=lnk_file

Running audit2allow < ~/logsnippet shows

#============= smbd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     samba_export_all_ro, samba_export_all_rw
allow smbd_t var_log_t:lnk_file { read getattr };

What I've already tried

From https://wiki.centos.org/HowTos/SELinux, I tried using audit2allow to make a module that I then loaded:

audit2allow < ~/logsnippet -M allow_samba_var_log
semodule -i allow_samba_var_log.pp

The module installed, because I see it in semodule -l | grep allow but I still cannot access /var/log through samba.

What I cannot do

  • Disable SELinux
  • https://lists.samba.org/archive/samba/2006-May/120632.html suggests modifying source, but I am not certain I want to try to modify source code for an selinux package (selinux-policy-targeted-sources is named in this link). Someone might be able to convince me to do this if necessary.

End results

What I ended up doing was enabling the boolean samba_export_all_ro.

samba selinux

3 Answers

  1. When SELinux is in enforcing mode, only the first denial will be logged because the denial causes the call to fail.

    You should run you system temporarily in Permissive mode (setenforce 0). This will cause all denials to be logged not just the first. Once you have fully exercised your system you should then use audit2why and audit2allow on the logged messages to understand what is happening and to create a custom module.

    If you are happy with the results of your audit the you can install the custom module.

    Monitor your audit log for additional denials and take appropriate actions.

    When you're happy set enforcing mode (setenforce 1)

    Note: You can 

    kill -USR1 <PIDofAuditd>

    to have auditd flush it's log and start another for easy checking that you have mopped up all the relevant denials.

    • 1
  2. Best Answer

    My solution

    The original question stated I wasn't going to use the samba_export_all_ro boolean. Unfortunately that was the only solution I found.

    So, to solve the problem, I ran

    setsebool samba_export_all_ro 1
    • 0

  3. You should first make sure that you've got the contexts setup right before messing around with custom modules.

    Take a look at ls -Z, the samba_share_t context must be set before daemons can access the directory.

    If it's not, set it then try again:

    chcon -t samba_share_t /var/log
    • -2