samba selinux adding new PC to domain
Daniel J Walsh
dwalsh at redhat.com
Wed May 3 17:32:31 UTC 2006
Scott Tsai wrote:
> On Wed, 26 Apr 2006 13:34:01 -0400, mroselinux wrote:
>
>> How can I always leave enforcing on?
>>
>
> You could create a local policy module to grant useradd the additional
> permisions.
>
> 1. Create a file t.log with the relevant avc messages.
> cat <<-EOF > t.log
> audit(1145984005.084:160): avc: denied { append } for pid=24952
> comm="useradd" name="log.mslib2k10w" dev=dm-0 ino=8674237
> scontext=root:system_r:useradd_t:s0 tcontext=root:object_r:samba_log_t:s0
> tclass=file
> audit(1145984005.088:162): avc: denied { read write } for pid=24952
> comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
> EOF
>
Why is useradd appending to samba_log? This might be a bug in samba is
leaking
> 2. Build a selinux policy module with audit2allow
> audit2allow -M local_samba_useradd -i t.log
>
> 3. Load the policy module into the kernel
> semodule -i local_samba_useradd.pp
>
> 4. If you want to keep this setting across reboot,
> I guess you'll have to put the "semodule -i" line into /etc/rc.d/rc.local ?
>
>
semodule changes are permanant. No need to semodule -i in
/etc/rc.d/rc.local.
> I'm a bit suspicious about why the "passwd" file was labeled
> "etc_runtime_t" in the first place.
>
> See Also:
> http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list