SMB - SELinux print problems

Russell Coker russell at coker.com.au
Mon Apr 12 14:36:40 UTC 2004


On Fri, 9 Apr 2004 11:07, Wayne Steenburg <w.steenburg at myactv.net> wrote:
> Does policy have to be manually reloaded-recompiled after running audit2
> allow or will a simple reboot suffice? If it does how?, otherwise here's
> my problem...

cd /etc/security/selinux/src/policy
audit2allow -d >> domains/misc/custom.te
make load

The above commands will allow all the operations that were denied, which may 
not be exactly what you want for best security.

> [root at FC2 root]# cat /var/log/messages
> Apr  8 20:44:22 FC2 kernel: audit(1081471462.693:0): avc:  denied
> { read } for  pid=2215 exe=/usr/sbin/smbd name=tmp dev=hde2 ino=917505
> scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:tmp_t
> tclass=dir

I've changed my policy tree to allow the directory read access, I'll send it 
off to Dan with the next batch.  I don't know what Samba is doing, it seems 
to want to search /tmp all the time but not actually do anything.

> Apr  8 20:44:28 FC2 kernel: audit(1081471468.457:0): avc:  denied
> { search } for  pid=2218 exe=/usr/sbin/smbd name=spool dev=hde6
> ino=1778881 scontext=system_u:system_r:smbd_t tcontext=system_u:
> object_r:var_spool_t tclass=dir

/var/spool/samba(/.*)?          system_u:object_r:samba_var_t

I've added the above to samba.fc in my tree to fix this.  If you add that in 
your samba.fc, run "make file_contexts/file_contexts" and then use setfiles 
to relabel /var/spool/samba then it should work.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page





More information about the fedora-test-list mailing list