SMB - SELinux print problems
Russell Coker
russell at coker.com.au
Mon Apr 12 14:36:40 UTC 2004
On Fri, 9 Apr 2004 11:07, Wayne Steenburg <w.steenburg at myactv.net> wrote:
> Does policy have to be manually reloaded-recompiled after running audit2
> allow or will a simple reboot suffice? If it does how?, otherwise here's
> my problem...
cd /etc/security/selinux/src/policy
audit2allow -d >> domains/misc/custom.te
make load
The above commands will allow all the operations that were denied, which may
not be exactly what you want for best security.
> [root at FC2 root]# cat /var/log/messages
> Apr 8 20:44:22 FC2 kernel: audit(1081471462.693:0): avc: denied
> { read } for pid=2215 exe=/usr/sbin/smbd name=tmp dev=hde2 ino=917505
> scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:tmp_t
> tclass=dir
I've changed my policy tree to allow the directory read access, I'll send it
off to Dan with the next batch. I don't know what Samba is doing, it seems
to want to search /tmp all the time but not actually do anything.
> Apr 8 20:44:28 FC2 kernel: audit(1081471468.457:0): avc: denied
> { search } for pid=2218 exe=/usr/sbin/smbd name=spool dev=hde6
> ino=1778881 scontext=system_u:system_r:smbd_t tcontext=system_u:
> object_r:var_spool_t tclass=dir
/var/spool/samba(/.*)? system_u:object_r:samba_var_t
I've added the above to samba.fc in my tree to fix this. If you add that in
your samba.fc, run "make file_contexts/file_contexts" and then use setfiles
to relabel /var/spool/samba then it should work.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-test-list
mailing list