[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: samba selinux adding new PC to domain



Scott Tsai wrote:
On Wed, 26 Apr 2006 13:34:01 -0400, mroselinux wrote:
How can I always leave enforcing on?

You could create a local policy module to grant useradd the additional
permisions.

1. Create a file t.log with the relevant avc messages.
cat <<-EOF > t.log
	audit(1145984005.084:160): avc:  denied  { append } for  pid=24952
	comm="useradd" name="log.mslib2k10w" dev=dm-0 ino=8674237
	scontext=root:system_r:useradd_t:s0 tcontext=root:object_r:samba_log_t:s0
	tclass=file
	audit(1145984005.088:162): avc:  denied  { read write } for  pid=24952
	comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
EOF
Why is useradd appending to samba_log? This might be a bug in samba is leaking
2. Build a selinux policy module with audit2allow
audit2allow -M local_samba_useradd -i t.log

3. Load the policy module into the kernel
semodule -i local_samba_useradd.pp

4. If you want to keep this setting across reboot, I guess you'll have to put the "semodule -i" line into /etc/rc.d/rc.local ?

semodule changes are permanant. No need to semodule -i in /etc/rc.d/rc.local.


I'm a bit suspicious about why the "passwd" file was labeled
"etc_runtime_t" in the first place.

See Also:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]