[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux for Samba-3.0.20



Daniel J Walsh wrote:
Darwin H. Webb wrote:

Hello,

I was wondering if the SELinux policy has been updated for sndb and nmbd in FC5 testing? I have installed all of the Samba-3.0.20 versions and in FC4 and had to turn these check booxes off.

I tried the turn them on for FC5 devel testing but it seemed to still get errors.
If the policy does exist, would a relabel be the answer?

Thank you,

Darwin H. Webb

Please submit the AVC messages that you are seeing?



I turned on the check boxes for Samba and relabeled with a boot yesterday.
It looks ok now. but here is the final messages occurring in samba
and the only AVC mesages now are about authx.
Too many updates and reboots cleared the old messages since I haven't had the samba SELinux on for that for a while.
The old message was about unable to access one or more .DAT files.
Now I only get these double set messages about every half hour.
[2005/09/23 07:46:43, 0] lib/util_sock.c:get_peer_addr(1222)
 getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 07:46:43, 0] lib/util_sock.c:get_peer_addr(1222)
 getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 08:18:43, 0] lib/util_sock.c:get_peer_addr(1222)
 getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 08:18:43, 0] lib/util_sock.c:get_peer_addr(1222)
 getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 08:50:43, 0] lib/util_sock.c:get_peer_addr(1222)
 getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 08:50:43, 0] lib/util_sock.c:get_peer_addr(1222)
 getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 09:22:43, 0] lib/util_sock.c:get_peer_addr(1222)
 getpeername failed. Error was Transport endpoint is not connected
[2005/09/23 09:22:43, 0] lib/util_sock.c:get_peer_addr(1222)
 getpeername failed. Error was Transport endpoint is not connected


These may be part of the relabel (A datetime stamp would be very nice on the audit.log.)
So it looks like SELinux policy for samba is working ok.

Thanks,

Darwin
type=AVC msg=audit(1127494685.194:1748): avc: denied { relabelfrom } for pid=23274 comm="su" name="0" dev=devpts ino=2 scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1127494685.194:1748): avc: denied { relabelto } for pid=23274 comm="su" name="0" dev=devpts ino=2 scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 tcontext=root:object_r:devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1127494685.194:1748): arch=40000003 syscall=226 success=yes exit=0 a0=bfd3dd88 a1=7c869f a2=82c7378 a3=1a items=1 pid=23274 auid=4294967295 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 comm="su" exe="/bin/su"
type=CWD msg=audit(1127494685.194:1748):  cwd="/home/darwinhwebb"
type=PATH msg=audit(1127494685.194:1748): item=0 name="/dev/pts/0" flags=1 inode=2 dev=00:0a mode=020620 ouid=500 ogid=5 rdev=88:00 type=AVC msg=audit(1127494685.198:1749): avc: denied { execute } for pid=23276 comm="su" name="xauth" dev=dm-0 ino=26980102 scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1127494685.198:1749): avc: denied { read } for pid=23276 comm="su" name="xauth" dev=dm-0 ino=26980102 scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1127494685.198:1749): arch=40000003 syscall=11 success=yes exit=0 a0=bfd3fe63 a1=bfd3f55c a2=82c72b8 a3=bfd3f570 items=2 pid=23276 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="xauth" exe="/usr/X11R6/bin/xauth"
type=AVC_PATH msg=audit(1127494685.198:1749):  path="/usr/X11R6/bin/xauth"
type=CWD msg=audit(1127494685.198:1749):  cwd="/home/darwinhwebb"
type=PATH msg=audit(1127494685.198:1749): item=0 name="/usr/X11R6/bin/xauth" flags=101 inode=26980102 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1127494685.198:1749): item=1 flags=101 inode=28508286 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127494685.278:1750): avc: denied { add_name } for pid=23274 comm="su" name=".xauthUxdapp" scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1127494685.278:1750): avc: denied { create } for pid=23274 comm="su" name=".xauthUxdapp" scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1127494685.278:1750): arch=40000003 syscall=5 success=yes exit=3 a0=82c7a23 a1=c2 a2=180 a3=2d78cd items=1 pid=23274 auid=4294967295 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 comm="su" exe="/bin/su"
type=CWD msg=audit(1127494685.278:1750):  cwd="/home/darwinhwebb"
type=PATH msg=audit(1127494685.278:1750): item=0 name="/root/.xauthUxdapp" flags=310 inode=26312705 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127494685.294:1751): avc: denied { setattr } for pid=23274 comm="su" name=".xauthUxdapp" dev=dm-0 ino=26312915 scontext=user_u:system_r:sysadm_su_t:s0-s0:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1127494685.294:1751): arch=40000003 syscall=207 success=yes exit=0 a0=3 a1=0 a2=0 a3=0 items=0 pid=23274 auid=4294967295 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 comm="su" exe="/bin/su"



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]