Re: fc6 and samba

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Wed, 28 Mar 2007 14:54:20 -0400

selinux@xxxxxxxxxx wrote:
thank you.. i will try right now...

...but i have a question about the ls -Z command:

can i change the security context of these files 

/usr/bin/smb*

Yes but that will not necessarily fix your problem.  If you chcon -t 
bin_t, they will no longer transition and SELinux will not effect them.  
But this could cause other applications that use winbind or samba some 
problems.
that changing the policy rules instead?

thank you again

----- Original Message -----
Da : Daniel J Walsh <dwalsh@xxxxxxxxxx>
A : "selinux@xxxxxxxxxx" <selinux@xxxxxxxxxx>
Cc: fedora-selinux-list@xxxxxxxxxx
Oggetto : Re: fc6 and samba
Data : Tue, 27 Mar 2007 11:22:54 -0400

selinux@xxxxxxxxxx wrote:

hi,

my samba installation on fc6 has some problems due to
selinux.

this is the issue:

--------------------------------------------------------

Mar 27 16:14:11 francesca kernel:
audit(1175004851.436:88): avc:  denied  { unlink } for 
pid=3414 comm="winbindd" name="pipe" dev=hda3
ino=9886377 scontext=root:system_r:winbind_t:s0
tcontext=syste m_u:object_r:samba_var_t:s0
tclass=sock_file Mar 27 16:14:11 francesca
winbindd[3414]: [2007/03/27 16:14:11, 0]
lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11
francesca winbindd[3414]:   bind failed on pipe socket
/var/cache/samba/winbindd_privileged/pipe: Address
already in use Mar 27 16:14:24 francesca smbd[3420]:
[2007/03/27 16:14:24, 0]
rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27
16:14:24 francesca smbd[3420]:   get_md4pw: Workstation
FRANCESCA$: no account in domain Mar 27 16:14:24
francesca smbd[3420]: [2007/03/27 16:14:24, 0]
rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27
16:14:24 francesca smbd[3420]:   _net_auth2: failed to
get machine password for account FRANCESCA$:
NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca
smbd[3421]: [2007/03/27 16:14:29, 0]
passdb/pdb_interface.c:pdb_default_create_user(368) Mar
27 16:14:29 francesca kernel: audit(1175004869.820:89):
avc:  denied  { search } for  pid=3422 comm="smbd"
name="bin" dev=hda2 ino=928929
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca
smbd[3421]:   _samr_create_user: Running the command
`/usrbin/smbldap-useradd -w "francesca$"' gave 82
Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
Mar 27 16:14:34 francesca smbd[3424]:   get_md4pw:
Workstation FRANCESCA$: no account in domain
Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
Mar 27 16:14:34 francesca smbd[3424]:   _net_auth2:
failed to get machine password for account FRANCESCA$:
NT_STATUS_ACCESS_DENIED
Mar 27 16:14:38 francesca kernel:
audit(1175004878.895:90): avc:  denied  { search } for 
pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
bject_r:bin_t:s0 tclass=dir
Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27
16:14:38, 0]
passdb/pdb_interface.c:pdb_default_create_user(368) Mar
27 16:14:38 francesca smbd[3425]:   _samr_create_user:
Running the command `/usrbin/smbldap-useradd -w
"francesca$"' gave 82 --------------------------------

and this is the samba commands:

[root@francesca ~]# ls -Zla /usr/bin/smb*
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
2112904 Feb  7 23:54 /usr/bin/smbcacls
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
1184704 Feb  7 23:54 /usr/bin/smbclient
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
748868 Feb  7 23:54 /usr/bin/smbcontrol
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
2002924 Feb  7 23:54 /usr/bin/smbcquotas
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
10240 Nov 21 17:21 /usr/bin/smbencrypt
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
2080808 Feb  7 23:54 /usr/bin/smbget
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
2006952 Feb  7 23:54 /usr/bin/smbpasswd
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
  2295 Feb  7 23:53 /usr/bin/smbprint
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
913140 Feb  7 23:54 /usr/bin/smbspool
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
728000 Feb  7 23:54 /usr/bin/smbstatus
-rwxr-xr-x 1 system_u:object_r:bin_t          root root 
  4896 Feb  7 23:53 /usr/bin/smbtar
-rwxr-xr-x 1 system_u:object_r:bin_t          root root
1093408 Feb  7 23:54 /usr/bin/smbtree

how can i fix this problem?

thank you in advance.

vittorio

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx

https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Easiest thing to do is to create a loadable policy module
and install  it.  You can do this with the following
commands.

audit2allow -i /var/log/audit/audit.log -M mysamba
semodule -i mysamba.pp

This will add the following two rules to policy

allow smbd_t bin_t:dir search;  # WHICH I HAVE ALREADY
ADDED TO THE NEXT  FC6 UPDATE.

#============= winbind_t ==============
allow winbind_t samba_var_t:sock_file unlink;  # THIS IS
CAUSED BY A  LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN
THE NEXT UPDATE.

selinux-policy-2.4.6-48

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list