Re: fc6 and samba

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Tue, 27 Mar 2007 11:22:54 -0400

selinux@xxxxxxxxxx wrote:
hi,

my samba installation on fc6 has some problems due to
selinux.

this is the issue:

--------------------------------------------------------

Mar 27 16:14:11 francesca kernel: audit(1175004851.436:88):
avc:  denied  { unlink } for  pid=3414 comm="winbindd"
name="pipe" dev=hda3 ino=9886377
scontext=root:system_r:winbind_t:s0 tcontext=syste
m_u:object_r:samba_var_t:s0 tclass=sock_file
Mar 27 16:14:11 francesca winbindd[3414]: [2007/03/27
16:14:11, 0] lib/util_sock.c:create_pipe_sock(1308)
Mar 27 16:14:11 francesca winbindd[3414]:   bind failed on
pipe socket /var/cache/samba/winbindd_privileged/pipe:
Address already in use
Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24,
0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
Mar 27 16:14:24 francesca smbd[3420]:   get_md4pw:
Workstation FRANCESCA$: no account in domain
Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24,
0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
Mar 27 16:14:24 francesca smbd[3420]:   _net_auth2: failed
to get machine password for account FRANCESCA$:
NT_STATUS_ACCESS_DENIED
Mar 27 16:14:29 francesca smbd[3421]: [2007/03/27 16:14:29,
0] passdb/pdb_interface.c:pdb_default_create_user(368)
Mar 27 16:14:29 francesca kernel: audit(1175004869.820:89):
avc:  denied  { search } for  pid=3422 comm="smbd"
name="bin" dev=hda2 ino=928929
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
bject_r:bin_t:s0 tclass=dir
Mar 27 16:14:29 francesca smbd[3421]:   _samr_create_user:
Running the command `/usrbin/smbldap-useradd -w
"francesca$"' gave 82
Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34,
0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
Mar 27 16:14:34 francesca smbd[3424]:   get_md4pw:
Workstation FRANCESCA$: no account in domain
Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34,
0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
Mar 27 16:14:34 francesca smbd[3424]:   _net_auth2: failed
to get machine password for account FRANCESCA$:
NT_STATUS_ACCESS_DENIED
Mar 27 16:14:38 francesca kernel: audit(1175004878.895:90):
avc:  denied  { search } for  pid=3426 comm="smbd"
name="bin" dev=hda2 ino=928929
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
bject_r:bin_t:s0 tclass=dir
Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 16:14:38,
0] passdb/pdb_interface.c:pdb_default_create_user(368)
Mar 27 16:14:38 francesca smbd[3425]:   _samr_create_user:
Running the command `/usrbin/smbldap-useradd -w
"francesca$"' gave 82
--------------------------------

and this is the samba commands:

[root@francesca ~]# ls -Zla /usr/bin/smb*
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
2112904 Feb  7 23:54 /usr/bin/smbcacls
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
1184704 Feb  7 23:54 /usr/bin/smbclient
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
748868 Feb  7 23:54 /usr/bin/smbcontrol
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
2002924 Feb  7 23:54 /usr/bin/smbcquotas
-rwxr-xr-x 1 system_u:object_r:bin_t          root root  
10240 Nov 21 17:21 /usr/bin/smbencrypt
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
2080808 Feb  7 23:54 /usr/bin/smbget
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
2006952 Feb  7 23:54 /usr/bin/smbpasswd
-rwxr-xr-x 1 system_u:object_r:bin_t          root root   
2295 Feb  7 23:53 /usr/bin/smbprint
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
913140 Feb  7 23:54 /usr/bin/smbspool
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
728000 Feb  7 23:54 /usr/bin/smbstatus
-rwxr-xr-x 1 system_u:object_r:bin_t          root root   
4896 Feb  7 23:53 /usr/bin/smbtar
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
1093408 Feb  7 23:54 /usr/bin/smbtree

how can i fix this problem?

thank you in advance.

vittorio

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Easiest thing to do is to create a loadable policy module and install 
it.  You can do this with the following commands.

audit2allow -i /var/log/audit/audit.log -M mysamba
semodule -i mysamba.pp

This will add the following two rules to policy

allow smbd_t bin_t:dir search;  # WHICH I HAVE ALREADY ADDED TO THE NEXT 
FC6 UPDATE.

#============= winbind_t ==============
allow winbind_t samba_var_t:sock_file unlink;  # THIS IS CAUSED BY A 
LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN THE NEXT UPDATE.

selinux-policy-2.4.6-48

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list