Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

 

> -----Original Message-----
> From: centos-bounces@xxxxxxxxxx 
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Whit Blauvelt
> Sent: Tuesday, May 25, 2010 21:27
> To: CentOS mailing list
> Subject: Re:  Odd failure of smbd to start from 
> init.d - CentOS 5.4 - it's that fine SELinux
> 
> On Tue, May 25, 2010 at 07:46:56PM -0500, Les Mikesell wrote:
> 
> > I would have looked at selinux first for any "odd failure", but I 
> > thought it related to the process itself and couldn't see 
> any way that 
> > the process would be different when started as "sh /etc/init.d/smb 
> > restart" than simply /etc/init.d/smb restart.  Is it?
> 
> That selinux would prevent a normal init.d startup of a 
> common daemon like smbd, but allow the same startup in 
> several other ways ... okay, I've never studied selinux. I 
> usually run Ubuntu on servers. I've pretty much literally 
> inherited a bunch of RH-based servers to admin (coworker 
> sadly died), and we're adding more to run in parallel, so 
> CentOS was obvious (RH-the-firm being so badly run it took 
> staff days over the phone just to buy a single new license 
> from them). Of course AppArmour can also get in the way, but 
> at least it logs such actions, so it's obvious if you need to 
> reconfig or turn it off.
> 
> I'm solidly impressed with this list. Nothing like it for 
> Ubuntu, and back when Gentoo was my preferred server distro 
> there was more noise surrounding that too. It shows that the 
> interest in CentOS is entirely professional. So that's a 
> strong upside.
> 
> But if someone can tell me why selinux thinks it's sane to 
> block "/etc/init.d/smb start" while leaving "sh 
> /etc/init.d/smb start" and even /some/random/dir/smb start" 
> wide open ... I just can't believe some happy hacker at NSA 

If you look at it as the two different commands, then they may have different
permissions, owners, contexts, etc...

/bin/sh vs /etc/init.d/smb

I am just logically guessing here but ...

> thought that would count as a security scheme. Really, I'd 
> like to know how this is supposed to be useful.
> 
> Whit
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
> 




--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux