fc6 and samba

Daniel J Walsh dwalsh at redhat.com
Wed Mar 28 18:54:20 UTC 2007 

selinux at lucullo.it wrote:
> thank you.. i will try right now...
>
> ...but i have a question about the ls -Z command:
>
> can i change the security context of these files 
>
> /usr/bin/smb*
>
>
>   
Yes but that will not necessarily fix your problem.  If you chcon -t 
bin_t, they will no longer transition and SELinux will not effect them.  
But this could cause other applications that use winbind or samba some 
problems.
> that changing the policy rules instead?
>
> thank you again
>
>
> ----- Original Message -----
> Da : Daniel J Walsh <dwalsh at redhat.com>
> A : "selinux at lucullo.it" <selinux at lucullo.it>
> Cc: fedora-selinux-list at redhat.com
> Oggetto : Re: fc6 and samba
> Data : Tue, 27 Mar 2007 11:22:54 -0400
>
>   
>> selinux at lucullo.it wrote:
>>     
>>> hi,
>>>
>>> my samba installation on fc6 has some problems due to
>>> selinux.
>>>
>>> this is the issue:
>>>
>>>
>>>
>>> --------------------------------------------------------
>>>
>>> Mar 27 16:14:11 francesca kernel:
>>> audit(1175004851.436:88): avc:  denied  { unlink } for 
>>> pid=3414 comm="winbindd" name="pipe" dev=hda3
>>> ino=9886377 scontext=root:system_r:winbind_t:s0
>>> tcontext=syste m_u:object_r:samba_var_t:s0
>>> tclass=sock_file Mar 27 16:14:11 francesca
>>> winbindd[3414]: [2007/03/27 16:14:11, 0]
>>> lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11
>>> francesca winbindd[3414]:   bind failed on pipe socket
>>> /var/cache/samba/winbindd_privileged/pipe: Address
>>> already in use Mar 27 16:14:24 francesca smbd[3420]:
>>> [2007/03/27 16:14:24, 0]
>>> rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27
>>> 16:14:24 francesca smbd[3420]:   get_md4pw: Workstation
>>> FRANCESCA$: no account in domain Mar 27 16:14:24
>>> francesca smbd[3420]: [2007/03/27 16:14:24, 0]
>>> rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27
>>> 16:14:24 francesca smbd[3420]:   _net_auth2: failed to
>>> get machine password for account FRANCESCA$:
>>> NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca
>>> smbd[3421]: [2007/03/27 16:14:29, 0]
>>> passdb/pdb_interface.c:pdb_default_create_user(368) Mar
>>> 27 16:14:29 francesca kernel: audit(1175004869.820:89):
>>> avc:  denied  { search } for  pid=3422 comm="smbd"
>>> name="bin" dev=hda2 ino=928929
>>> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
>>> bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca
>>> smbd[3421]:   _samr_create_user: Running the command
>>> `/usrbin/smbldap-useradd -w "francesca$"' gave 82
>>> Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
>>> 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
>>> Mar 27 16:14:34 francesca smbd[3424]:   get_md4pw:
>>> Workstation FRANCESCA$: no account in domain
>>> Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
>>> 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
>>> Mar 27 16:14:34 francesca smbd[3424]:   _net_auth2:
>>> failed to get machine password for account FRANCESCA$:
>>> NT_STATUS_ACCESS_DENIED
>>> Mar 27 16:14:38 francesca kernel:
>>> audit(1175004878.895:90): avc:  denied  { search } for 
>>> pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929
>>> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
>>> bject_r:bin_t:s0 tclass=dir
>>> Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27
>>> 16:14:38, 0]
>>> passdb/pdb_interface.c:pdb_default_create_user(368) Mar
>>> 27 16:14:38 francesca smbd[3425]:   _samr_create_user:
>>> Running the command `/usrbin/smbldap-useradd -w
>>> "francesca$"' gave 82 --------------------------------
>>>
>>>
>>> and this is the samba commands:
>>>
>>> [root at francesca ~]# ls -Zla /usr/bin/smb*
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
>>> 2112904 Feb  7 23:54 /usr/bin/smbcacls
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
>>> 1184704 Feb  7 23:54 /usr/bin/smbclient
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
>>> 748868 Feb  7 23:54 /usr/bin/smbcontrol
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
>>> 2002924 Feb  7 23:54 /usr/bin/smbcquotas
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
>>> 10240 Nov 21 17:21 /usr/bin/smbencrypt
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
>>> 2080808 Feb  7 23:54 /usr/bin/smbget
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
>>> 2006952 Feb  7 23:54 /usr/bin/smbpasswd
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
>>>   2295 Feb  7 23:53 /usr/bin/smbprint
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
>>> 913140 Feb  7 23:54 /usr/bin/smbspool
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
>>> 728000 Feb  7 23:54 /usr/bin/smbstatus
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
>>>   4896 Feb  7 23:53 /usr/bin/smbtar
>>> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
>>> 1093408 Feb  7 23:54 /usr/bin/smbtree
>>>
>>> how can i fix this problem?
>>>
>>> thank you in advance.
>>>
>>> vittorio
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>>
>>>       
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   
>>>   
>>>       
>> Easiest thing to do is to create a loadable policy module
>> and install  it.  You can do this with the following
>> commands.
>>
>> audit2allow -i /var/log/audit/audit.log -M mysamba
>> semodule -i mysamba.pp
>>
>> This will add the following two rules to policy
>>
>> allow smbd_t bin_t:dir search;  # WHICH I HAVE ALREADY
>> ADDED TO THE NEXT  FC6 UPDATE.
>>
>> #============= winbind_t ==============
>> allow winbind_t samba_var_t:sock_file unlink;  # THIS IS
>> CAUSED BY A  LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN
>> THE NEXT UPDATE.
>>
>> selinux-policy-2.4.6-48
>>
>>
>>
>>
>>
>>
>>     
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list