> -----Original Message----- > From: centos-bounces@xxxxxxxxxx > [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Whit Blauvelt > Sent: Tuesday, May 25, 2010 21:27 > To: CentOS mailing list > Subject: Re: Odd failure of smbd to start from > init.d - CentOS 5.4 - it's that fine SELinux > > On Tue, May 25, 2010 at 07:46:56PM -0500, Les Mikesell wrote: > > > I would have looked at selinux first for any "odd failure", but I > > thought it related to the process itself and couldn't see > any way that > > the process would be different when started as "sh /etc/init.d/smb > > restart" than simply /etc/init.d/smb restart. Is it? > > That selinux would prevent a normal init.d startup of a > common daemon like smbd, but allow the same startup in > several other ways ... okay, I've never studied selinux. I > usually run Ubuntu on servers. I've pretty much literally > inherited a bunch of RH-based servers to admin (coworker > sadly died), and we're adding more to run in parallel, so > CentOS was obvious (RH-the-firm being so badly run it took > staff days over the phone just to buy a single new license > from them). Of course AppArmour can also get in the way, but > at least it logs such actions, so it's obvious if you need to > reconfig or turn it off. > > I'm solidly impressed with this list. Nothing like it for > Ubuntu, and back when Gentoo was my preferred server distro > there was more noise surrounding that too. It shows that the > interest in CentOS is entirely professional. So that's a > strong upside. > > But if someone can tell me why selinux thinks it's sane to > block "/etc/init.d/smb start" while leaving "sh > /etc/init.d/smb start" and even /some/random/dir/smb start" > wide open ... I just can't believe some happy hacker at NSA If you look at it as the two different commands, then they may have different permissions, owners, contexts, etc... /bin/sh vs /etc/init.d/smb I am just logically guessing here but ... > thought that would count as a security scheme. Really, I'd > like to know how this is supposed to be useful. > > Whit > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos