Steven Stromer wrote:
What's the output of:
# audit2allow < /var/log/audit/audit.log
Paul.
Paul,
Thanks for the time! I understand what you are saying. I have set:
chcon -R -h -t home_root_t /home
so that the entire path's heirarchy will be consistent,
No no, this is wrong. home_root_t is for directories that *contain* home
directories, not the home directories and their contents themselves.
I'd do a "restorecon -RF /home" to fix that, then put back the contexts
on your share areas as you wanted them (e.g. samba_share_t or
public_content_rw_t etc.).
Better still, I'd move your shares from under /home to under /srv if
that's a possibility.
> and then:
setsebool -P use_samba_home_dirs 1
Tried connecting, but still unsuccessful, so, output of audit2allow <
/var/log/audit/audit.log is:
#============= smbd_t ==============
allow smbd_t home_root_t:dir { search getattr };
allow smbd_t httpd_sys_content_t:dir search;
Trying to mount /home/server1/PHFiles generates in
/var/log/audit/audit.log:
type=AVC msg=audit(1234540788.851:16207): avc: denied { search } for
pid=26783 comm="smbd" name="/" dev=dm-2 ino=2
scontext=root:system_r:smbd_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1234540788.851:16207): arch=c000003e syscall=4
success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0 a2=7fff19c3c6a0 a3=3
items=0 ppid=17598 pid=26783 auid=0 uid=500 gid=0 euid=500 suid=0
fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=122 comm="smbd"
exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
Contexts need repairing before looking at these again.
Trying to mount /var/www/html generates in /var/log/audit/audit.log:
type=AVC msg=audit(1234540890.725:16214): avc: denied { search } for
pid=26785 comm="smbd" name="www" dev=dm-3 ino=6815745
scontext=root:system_r:smbd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1234540890.725:16214): arch=c000003e syscall=4
success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0 a2=7fff19c3c6a0 a3=3
items=0 ppid=17598 pid=26785 auid=0 uid=500 gid=0 euid=500 suid=0
fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=122 comm="smbd"
exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
/var/www is supposed to be readable under httpd only, not samba, so it's
normal for these not to work. For both servers to be able to access the
files (and samba to write them), you'll need /var/www and everything
underneath it to be public_content_rw_t and to set the boolean
allow_smbd_anon_write. If you need CGI scripts rather than just static
content and built-in scripting (e.g. PHP) then you'll need a local
policy module to allow samba access using the existing httpd_* types
instead.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
