Re: Samba won't dance [Solved - sort of - NOT] Selinux related???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Claude Jones wrote:
> On Thu April 17 2008, Claude Jones wrote:
>> I can't declare victory. I am now networked,
> 
> I now know how to break it. Just declare victory. It doesn't have to be total; 
> victory declarations, qualified, with reservations, with lots of 
> uselessmumbling, etc...work, too!
> 
> Just switched over to an XP box that had been reliably browsing my Fedora box 
> for the past hour, and got a "can't find" error. Turned off the firewall on 
> Fedora, went back to the XP machine, and the connection is restored... WTF??
> 
> I doubt this is relevant, but here are the relevant entries in iptables:
> 
> Chain INBOUND (1 references)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> ACCEPT     all  --  192.168.2.0/24       anywhere
> ACCEPT     all  --  192.168.2.1          anywhere
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpts:6881:6889
> ACCEPT     udp  --  anywhere             anywhere            udp 
> dpts:6881:6889
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:35986
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:35986
> ACCEPT     tcp  --  192.168.2.0/24       anywhere            tcp dpt:ipp
> ACCEPT     udp  --  192.168.2.0/24       anywhere            udp dpt:ipp
> ACCEPT     tcp  --  192.168.2.0/24       anywhere            tcp 
> dpts:netbios-ns:netbios-ssn
> ACCEPT     udp  --  192.168.2.0/24       anywhere            udp 
> dpts:netbios-ns:netbios-ssn
> ACCEPT     tcp  --  192.168.2.0/24       anywhere            tcp 
> dpt:microsoft-ds
> ACCEPT     udp  --  192.168.2.0/24       anywhere            udp 
> dpt:microsoft-ds
> ACCEPT     tcp  --  192.168.2.0/24       anywhere            tcp dpt:sunrpc
> ACCEPT     udp  --  192.168.2.0/24       anywhere            udp dpt:sunrpc
> ACCEPT     tcp  --  192.168.2.0/24       anywhere            tcp dpt:nfs
> ACCEPT     udp  --  192.168.2.0/24       anywhere            udp dpt:nfs
> ACCEPT     tcp  --  192.168.2.0/24       anywhere            tcp dpt:domain
> ACCEPT     udp  --  192.168.2.0/24       anywhere            udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
> LSI        all  --  anywhere             anywhere
> ***************************************
> I know there are issues in there, but, the main point is, why did it suddenly 
> go dark? Why did it work for a couple of hours this am, and all night, then 
> suddenly lose it?
> ***************************************
> and there's the Samba and Selinux issue - I'm getting tons of these:
> 
> 
> Summary:
> 
> SELinux is preventing smbd (smbd_t) "getattr" to /dev/sde1
> (fixed_disk_device_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by smbd. It is not expected that this access 
> is
> required by smbd and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to 
> restore
> the default system file context for /dev/sde1,
> 
> restorecon -v '/dev/sde1'
> 
> If this does not work, there is currently no automatic way to allow this 
> access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not 
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                unconfined_u:system_r:smbd_t
> Target Context                system_u:object_r:fixed_disk_device_t
> Target Objects                /dev/sde1 [ blk_file ]
> Source                        smbd
> Source Path                   /usr/sbin/smbd
> Port                          <Unknown>
> Host                          tehogee1
> Source RPM Packages           samba-3.0.28a-0.fc8
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.0.8-98.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     tehogee1
> Platform                      Linux tehogee1 2.6.24.4-64.fc8 #1 SMP Sat Mar 29
>                               09:54:46 EDT 2008 i686 i686
> Alert Count                   3
> First Seen                    Wed 16 Apr 2008 08:39:18 AM EDT
> Last Seen                     Wed 16 Apr 2008 08:43:18 AM EDT
> Local ID                      83d6b661-2e3b-482a-ada7-ca94aa1f5eb6
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=tehogee1 type=AVC msg=audit(1208349798.310:1590): avc:  denied  { 
> getattr } for  pid=32296 comm="smbd" path="/dev/sde1" dev=tmpfs ino=323202 
> scontext=unconfined_u:system_r:smbd_t:s0 
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
> 
> host=tehogee1 type=SYSCALL msg=audit(1208349798.310:1590): arch=40000003 
> syscall=195 success=no exit=-13 a0=bfd7a694 a1=bfd79e14 a2=4c5ff4 a3=bfd79e14 
> items=0 ppid=31287 pid=32296 auid=500 uid=99 gid=0 euid=99 suid=0 fsuid=99 
> egid=99 sgid=0 fsgid=99 tty=(none) comm="smbd" exe="/usr/sbin/smbd" 
> subj=unconfined_u:system_r:smbd_t:s0 key=(null)
> 
> ********************************************
> or even more germane, this:
> 
> 
> Summary:
> 
> SELinux is preventing the samba daemon from serving r/o local files to remote
> clients.
> 
> Detailed Description:
> 
> SELinux has preventing the samba daemon (smbd) from reading files on the local
> system. If you have not exported these file systems, this could signals an
> intrusion.
> 
> Allowing Access:
> 
> If you want to export file systems using samba you need to turn on the
> samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
> 
> The following command will allow this access:
> 
> setsebool -P samba_export_all_ro=1
> 
> Additional Information:
> 
> Source Context                system_u:system_r:smbd_t
> Target Context                system_u:object_r:var_t
> Target Objects                ./srv [ dir ]
> Source                        smbd
> Source Path                   /usr/sbin/smbd
> Port                          <Unknown>
> Host                          tehogee1
> Source RPM Packages           samba-3.0.28a-0.fc8
> Target RPM Packages           filesystem-2.4.11-1.fc8
> Policy RPM                    selinux-policy-3.0.8-98.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   samba_export_all_ro
> Host Name                     tehogee1
> Platform                      Linux tehogee1 2.6.24.4-64.fc8 #1 SMP Sat Mar 29
>                               09:54:46 EDT 2008 i686 i686
> Alert Count                   8
> First Seen                    Wed 16 Apr 2008 10:06:11 PM EDT
> Last Seen                     Wed 16 Apr 2008 10:06:15 PM EDT
> Local ID                      dd8cb0d1-fac0-495c-89e6-c115d60ad66f
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=tehogee1 type=AVC msg=audit(1208397975.959:367): avc:  denied  { read } 
> for  pid=28749 comm="smbd" name="srv" dev=sda3 ino=26312705 
> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 
> tclass=dir
> 
> host=tehogee1 type=SYSCALL msg=audit(1208397975.959:367): arch=40000003 
> syscall=5 success=no exit=-13 a0=b864d098 a1=98800 a2=bf9291fc a3=b86651c8 
> items=0 ppid=3353 pid=28749 auid=4294967295 uid=99 gid=0 euid=99 suid=0 
> fsuid=99 egid=99 sgid=0 fsgid=99 tty=(none) comm="smbd" exe="/usr/sbin/smbd" 
> subj=system_u:system_r:smbd_t:s0 key=(null)
> 
> *********************************************
> 
> I have run the suggested command to fix the last, but to no avail. 
> 
> 
> 
> 
For the SELinux issue.
You need to turn on a boolean
either
samba_export_all_ro or
samba_export_all_rw

setsebool -P samba_export_all_ro=1


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgM7RIACgkQrlYvE4MpobPbMQCeJPG7k7csSIyOpLyRA3EQZN7G
03wAoI8xrpaC6YXtq7KZ/ykg6wC3PO4/
=5t/+
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux