Selinux breaks samba with no AVC's...
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 27 21:02:31 UTC 2005
Tom Lisjac wrote:
>I'm trying to make samba shares available on a new FC4 server I've
>just built that's running selinux-policy-targeted-1.27.1-2.1. I
>relabelled after the update the other day, ran permissive until
>everything worked, added the following to local.te and recompiled the
>policy sources:
>
>allow smbd_t home_root_t:dir { getattr search };
>allow smbd_t httpd_sys_content_t:dir { getattr read remove_name search write };
>allow smbd_t httpd_sys_content_t:file { getattr lock read unlink };
>allow smbd_t samba_net_tmp_t:file { getattr read write };
>allow smbd_t user_home_dir_t:dir { getattr read };
>allow smbd_t user_home_t:dir getattr;
>allow smbd_t user_home_t:file getattr;
>
>When I switched to enforcing, I couldn't connect... and there were no
>new AVC's. Switching back to permissive worked.
>
>I've never seen this behavior before. In the past when enforcing,
>there has always been an AVC to explain a denial of service. This time
>there wasn't. Turning off selinux fixes the problem so there must be a
>relationship.
>
>Disabling selinux seems to be my only alternative... but I'd rather
>not. Any suggestions would be appreciated.
>
>-Tom
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Try out the booleans
setsebool -P samba_enable_home_dirs=1
# getsebool -a | grep samba
samba_enable_home_dirs --> inactive
use_samba_home_dirs --> inactive
# getsebool -a | grep smb
allow_smbd_anon_write --> inactive
smbd_disable_trans --> inactive
--
More information about the fedora-selinux-list
mailing list