I've migrated our samba server to FC5 and have selinux enforcing. I have
the smbd_disable_trans boolean on. I just went to add a new PC to our
domain and was not able to until I changed selinux to permissive. Below
are the log messages.
Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.084:160): avc: denied {
append } for pid=24952 comm="useradd" name="log.mslib2k10w" dev=dm-0
ino=8674237 scontext=root:system_r:useradd_t:s0
tcontext=root:object_r:samba_log_t:s0 tclass=file
Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.088:161): avc: denied {
read } for pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129
scontext=root:system_r:useradd_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.088:162): avc: denied {
read write } for pid=24952 comm="useradd" name="passwd" dev=dm-0
ino=1964129 scontext=root:system_r:useradd_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Apr 25 12:53:25 hssrv01 smbd[24950]: [2006/04/25 12:53:25.092274, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2404)
Apr 25 12:53:25 hssrv01 smbd[24950]: _samr_create_user: Running the
command `/usr/sbin/useradd -d /dev/null -g mac6068346148hines -c 'Machine
Account' -s /bin/false -M mslib2k10w$' gave 1
Note that smbd invokes the useradd command.
How can I always leave enforcing on? Earlier, I sent an email indicating
that the samba "net groupmap" command also is a problem with enforcing on.
Mark Orenstein
East Granby, CT School System
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
