-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Stromer wrote: > > On Feb 12, 2009, at 4:43 PM, Daniel J Walsh wrote: > > Paul Howarth wrote: >>>> On Thu, 12 Feb 2009 14:20:34 -0500 >>>> Steven Stromer <filter@xxxxxxxxxxxxxxxxx> wrote: >>>> >>>>> Hopefully posting to the right list! >>>>> >>>>> I'm starting to migrate a few Fedora boxes over to the latest version >>>>> of CentOS 5 running the latest version of samba: >>>>> >>>>> [~]# smbstatus >>>>> Samba version 3.0.28-1.el5_2.1 >>>>> >>>>> >>>>> However, I am having a hard time getting SELinux to permit the >>>>> mounting of shares on the first CentOS box. Disabling SELinux permits >>>>> the shares to mount without problem: >>>>> >>>>> [~]# setenforce 1 >>>>> [~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o >>>>> username=****,password=****,rw retrying with upper case share name >>>>> mount error 6 = No such device or address >>>>> [~]# setenforce 0 >>>>> [~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o >>>>> username=****,password=****,rw [~]# ls -la /mnt/samba/ >>>>> total 8 >>>>> d---rws---+ 6 samba samba 0 Feb 10 11:17 . >>>>> drwxr-xr-x 3 root root 4096 Feb 12 11:13 .. >>>>> d---rws---+ 2 technology technology 0 Feb 10 11:14 Computing >>>>> d---rws---+ 2 development development 0 Feb 10 11:17 Development >>>>> d---rws---+ 2 root public 0 Feb 10 11:16 Marketing & >>>>> Design d---rws---+ 2 root public 0 Feb 10 11:14 Public >>>>> Computing [~]# umount /mnt/samba/ >>>>> [~]# setenforce 1 >>>>> >>>>> >>>>> Installed policy version is: >>>>> selinux-policy.noarch 2.4.6-137.1.el5 >>>>> selinux-policy-targeted.noarch 2.4.6-137.1.el5 >>>>> >>>>> >>>>> The two shared directories are: >>>>> >>>>> [~]# ls -laZ /home/server1/PHFiles/ >>>>> d---rws---+ samba samba system_u:object_r:samba_share_t . >>>>> drwxr-xr-x root root root:object_r:user_home_dir_t >>>>> .. d---rws---+ technology technology root:object_r:samba_share_t >>>>> Computing d---rws---+ development development >>>>> root:object_r:samba_share_t Development d---rws---+ root >>>>> public root:object_r:samba_share_t Marketing & >>>>> Design d---rws---+ root public >>>>> root:object_r:samba_share_t Public Computing >>>>> >>>>> and >>>>> >>>>> [~]# ls -laZ /var/www/html >>>>> d---rwsr-x+ development development >>>>> system_u:object_r:public_content_rw_t . drwxr-xr-x root root >>>>> system_u:object_r:httpd_sys_content_t .. ----rwxr-x+ >>>>> development development root:object_r:public_content_rw_t .DS_Store >>>>> d---rwsr-x+ development development root:object_r:public_content_rw_t >>>>> private d---rwsr-x+ development development >>>>> root:object_r:public_content_rw_t public >>>>> >>>>> (I am aware that my permissions seem a bit untraditional. I am >>>>> running an experiment with extended ACL configuration on samba >>>>> shares. However, I do not believe this to have any bearing on my >>>>> present problems, as I have numerous other production servers running >>>>> with these permissions under SELinux, and, again, turning SELinux off >>>>> resolves my problems instantly.) >>>>> >>>>> >>>>> The following has been executed with no apparent effect: >>>>> setsebool -P allow_smbd_anon_write=1 >>>>> >>>>> >>>>> The following have been executed with no apparent effect (so these >>>>> have been turned back off): setsebool -P smbd_disable_trans=1 >>>>> setsebool -P nmbd_disable_trans=1 >>>>> >>>>> >>>>> I've added the new contexts to file_contexts, and executed >>>>> 'restorecon -R' to the two shared >>>>> directories: /home/server1/PHFiles(/.*)? -- >>>>> system_u:object_r:samba_share_t /var/www/html(/.*)? -- >>>>> system_u:object_r:public_content_rw_t >>>>> >>>>> >>>>> setroubleshoot-server is installed, but no AVC denials are reported >>>>> to /var/log/messages. Instead, when SELinux is enforcing, I get the >>>>> error: smbd[11852]: '/home/server1/PHFiles' does not exist or >>>>> permission denied when connecting to [PHFiles] Error was Permission >>>>> denied >>>>> >>>>> >>>>> And, finally, I've rebooted. All to no avail. Any assistance would be >>>>> much appreciated! >>>> >>>> If the audit daemon is running, the AVC denials will be >>>> in /var/log/audit/audit.log rather than /var/log/messages. >>>> >>>> fedora-selinux-list would probably be more appropriate for this by the >>>> way. >>>> >>>> Paul. >>>> >>>> >>>> -- >>>> This message was distributed to subscribers of the selinux mailing list. >>>> If you no longer wish to subscribe, send mail to >>>> majordomo@xxxxxxxxxxxxx with >>>> the words "unsubscribe selinux" without quotes as the message. > > setsebool -P use_samba_home_dirs 1 >> > Daniel, thanks for the reply. No success. I omitted mentioning that I > had tried this, as well. However, I just confirmed again that this is > not the fix. I'm not even sure why home directories would need to be > permitted, as I am not using them. I even have [homes] commented out in > smb.conf, which I'll include for reference: > # Samba config file > [global] > # WINS > wins support = yes > local master = yes > os level = 99 > domain master = yes > preferred master = yes > workgroup = 478FIRST > # NETBIOS/DNS > netbios name = server1 > name resolve order = wins lmhosts hosts bcast > dns proxy = yes > # SMB/CIFS > smb ports = 139 > server string = server1 > # AUTHENTICATION > interfaces = eth0 > security = user > passdb backend = tdbsam > encrypt passwords = yes > # LOGGING > log file = /var/log/samba/%m.log > max log size = 50 > # CUPS > load printers = yes > cups options = raw > #[homes] > # comment = Home Directories > # read only = No > # browseable = No > # [printers] > # comment = All Printers > # path = /usr/spool/samba > # printable = Yes > # browseable = No > [PHFiles] > path = /home/server1/PHFiles > writable = yes > browseable = yes > available = yes > create mask = 0660 > force create mode = 0660 > directory mask = 0770 > force directory mode = 0770 > inherit acls = yes > inherit owner = yes > hosts allow = 127. 192.168.5. > map archive = no > map readonly = no > map acl inherit = yes > [html] > path = /var/www/html > writable = yes > browseable = yes > available = yes > create mask = 0660 > force create mode = 0660 > directory mask = 0770 > force directory mode = 0770 > inherit acls = yes > inherit owner = yes > hosts allow = 127. 192.168.5. > map archive = no > map readonly = no > map acl inherit = yes You still have not attached the avc messages from /var/log/audit/audit.log You have these booleans to allow samba to share any dir read/only or read/write samba_export_all_ro --> off samba_export_all_rw --> off You also seem to be using public_content_rw_t, so you might want to turn on allow_smbd_anon_write --> off Which allows it to write to public_content_rw_t. You could just add a custom module with # grep smb /var/log/audit/audit.log | audit2allow -M mysmb # semodule -i mysmb.pp Without the audit.log we can not help you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmVcZUACgkQrlYvE4MpobMShgCfaZ08o5LoZxMUeoN7BkxlcEfI QPAAoKPWMn5EOcVicEPubt6d95PCKkl5 =/HDJ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
