SELinux allow samba to read /var/log

Question

TL;DR

SELinux is blocking samba from reading /var/log and all contents

Problem

With SELinux disabled, my samba users (sssd/kerberos joined to AD 2008 R2) can browse my shared directory /var/log. With SELinux enabled, it doesn't work.

My /var/log/messages snippet

Aug 29 13:28:38 servername kernel: [11625.509586] type=1400 audit(1472491718.859:35): avc:  denied  { read } for  pid=7492 comm="smbd" name="spamfilter-all.log" dev="dm-3" ino=26 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=lnk_file
Aug 29 13:28:38 servername kernel: [11625.626225] type=1400 audit(1472491718.975:36): avc:  denied  { getattr } for  pid=7492 comm="smbd" path="/var/log/remote/192.168.11.1" dev="dm-3" ino=1966096 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=lnk_file

Running audit2allow < ~/logsnippet shows

#============= smbd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     samba_export_all_ro, samba_export_all_rw
allow smbd_t var_log_t:lnk_file { read getattr };

What I've already tried

From https://wiki.centos.org/HowTos/SELinux, I tried using audit2allow to make a module that I then loaded:

audit2allow < ~/logsnippet -M allow_samba_var_log
semodule -i allow_samba_var_log.pp

The module installed, because I see it in semodule -l | grep allow but I still cannot access /var/log through samba.

What I cannot do

Disable SELinux
https://lists.samba.org/archive/samba/2006-May/120632.html suggests modifying source, but I am not certain I want to try to modify source code for an selinux package (selinux-policy-targeted-sources is named in this link). Someone might be able to convince me to do this if necessary.

End results

What I ended up doing was enabling the boolean samba_export_all_ro.

Did you check for new denials after installing your local policy ? — user9517, Aug 29 '16 at 19:41
I did, and it added a few entries similar to the `allow smbd_t var_log_t:lnk_file` like dir and so on, but it didn't make a difference. — bgStack15, Aug 29 '16 at 21:03
Before you do anything, consider carefully the wisdom (or lack thereof) of attempting to share this directory at all. — Michael Hampton, Aug 29 '16 at 23:53
@MichaelHampton, it's a log server, and the reason I'm building a new server (CentOS 7) is so that I can easily make the samba share for my boss. I was fine with sftp. I suppose I could rearrange things and share just /var/log/remote — bgStack15, Aug 30 '16 at 11:46
If you solved this yourself, please post an answer. It will get lost as part of the question. — Michael Hampton, Oct 12 '16 at 19:13
@Done. I was hoping somebody would still post a real solution somewhen in the future. — bgStack15, Oct 12 '16 at 20:31

user9517 · Answer 1 · 2016-09-03T18:44:37.733

When SELinux is in enforcing mode, only the first denial will be logged because the denial causes the call to fail.

You should run you system temporarily in Permissive mode (setenforce 0). This will cause all denials to be logged not just the first. Once you have fully exercised your system you should then use audit2why and audit2allow on the logged messages to understand what is happening and to create a custom module.

If you are happy with the results of your audit the you can install the custom module.

Monitor your audit log for additional denials and take appropriate actions.

When you're happy set enforcing mode (setenforce 1)

Note: You can

kill -USR1 <PIDofAuditd>

to have auditd flush it's log and start another for easy checking that you have mopped up all the relevant denials.

Rather than putting the entire system in permissive mode, you can put a single domain in permissive mode. For instance `semanage permissive -a smbd_t` and `semanage permissive -d smbd_t` to go back. — Michael Hampton, Aug 29 '16 at 23:55

score 0 · Accepted Answer · edited Jun 11 '20 at 10:02

0

My solution

The original question stated I wasn't going to use the samba_export_all_ro boolean. Unfortunately that was the only solution I found.

So, to solve the problem, I ran

setsebool samba_export_all_ro 1

edited Jun 11 '20 at 10:02

Community

1

answered Oct 12 '16 at 20:31

bgStack15

1,111
1
12
23

score -2 · Answer 3 · answered Aug 29 '16 at 19:46

-2

You should first make sure that you've got the contexts setup right before messing around with custom modules.

Take a look at ls -Z, the samba_share_t context must be set before daemons can access the directory.

If it's not, set it then try again:

chcon -t samba_share_t /var/log

answered Aug 29 '16 at 19:46

DjangoJefe

1

So you recommend changing the security context of /var/log? Or does this add a context? – bgStack15 Aug 29 '16 at 21:04