wrt inotify problem

simo idra at samba.org
Wed Apr 11 15:11:30 GMT 2007


On Wed, 2007-04-11 at 09:03 +1000, tridge at samba.org wrote:
> Volker,
> 
>  > Ok, this is really broken. SELinux allows us to set up
>  > everything necessary for inotify but then when something
>  > happens gives us an access denied? Very weird. Trying to
>  > find a fix.
> 
> Just a wild guess, but I would not be surprised if the problem is our
> security context. If we setup the notify as one euid and try to handle
> the notify as a different euid then maybe selinux refuses it.

No, SELinux do not know anything about UIDs and does not care about UIDs
at all.

> Might we worth writing a bit of test code, and if this guess does turn
> out to be right, we can fix with some euid hacks on -1/EACCES.

No, the problem is that inotifyfs has its own label and the policies
were not allowing smbd to access objects labeled that way.
The first time that label is met is when smbd calls the ioctl, and
that's where SELinux blocks it.

No workaround, except disabling SELinux or updating the policies.
New policy packages for FC6/F7 are on the way.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba-technical mailing list