Kloc, Alisha wrote:
>I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But
every
>time I try to do anything - join a domain, run a test join, change
>configuration settings, basically anything that calls any object
related
>to Samba or Winbind - SELinux blocks it.
>
>Disabling protection for the winbind daemon in the boolean settings
>changes SELinux to blocking /var/run/winbindd/pipe instead. I've run
>restorecon where possible, and done a full relabel of the whole system,
>multiple times. Nothing changes. I haven't moved any system files and
I'm
>following the official Samba setup documentation.
>
>I'm utterly at a loss. Something must be broken because I can't imagine
a
>default SELinux policy that blocks all Samba/Winbind activity would
have
>made it past RHEL5's quality control. But I can't figure out what it
is.
>
>Please help!
>
>Thanks in advance,
>-Alisha
>
>_____________________________________
>
>[root@myhost ~]# net ads testjoin
>[2010/07/21 18:28:39.357159, 0]
>libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
> create_local_private_krb5_conf_for_domain: failed to create directory
>/var/lib/samba/smb_krb5. Error was Permission denied
>[2010/07/21 18:28:39.359054, 0]
>libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
> create_local_private_krb5_conf_for_domain: failed to create directory
>/var/lib/samba/smb_krb5. Error was Permission denied
>Join is OK
>_____________________________________
>
>Summary:
>SELinux is preventing the net from using potentially mislabeled files
>(/tmp/.winbindd).
>
>Detailed Description
>SELinux has denied net access to potentially mislabeled file(s)
>(/tmp/.winbindd). This means that SELinux will not allow net to use
these
>files. It is common for users to edit files in their home directory or
tmp
>directories and then move (mv) them to system directories. The problem
is
>that the files end up with the wrong file context which confined
>applications are not allowed to access.
>
>Allowing Access
>If you want net to access this files, you need to relabel them using
>restorecon -v '/tmp/.winbindd'. You might want to relabel the entire
>directory using restorecon -R -v '/tmp/.winbindd'.
>
>Additional Information
>
>Source Context: root:system_r:samba_net_t:SystemLow-SystemHighTarget
>Context: system_u:object_r:winbind_tmp_t
>Target Objects: /tmp/.winbindd [ dir ]
>Source: net
>Source Path: /usr/bin/net
>Port: <Unknown>
>Host: <my-hostname>
>Source RPM Packages: samba3-client-3.5.4-43.el5
>Target RPM Packages:
>Policy RPM: selinux-policy-2.4.6-137.el5
>Selinux Enabled: True
>Policy Type: targeted
>MLS Enabled: True
>Enforcing Mode: Enforcing
>Plugin Name: home_tmp_bad_labels
>Host Name: <my-hostname>
>Platform: Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12
>EDT 2008 i686 i686
>Alert Count: 24
>First Seen: Wed 21 Jul 2010 05:56:30 PM GMT
>Last Seen: Wed 21 Jul 2010 06:08:40 PM GMT
>Local ID: 0c95a6b7-9a92-4950-bb1d-9b74686685ea
>Line Numbers:
>Raw Audit Messages :
>host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied
>{ getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3
>ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023
>tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir
>host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120):
>arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c
>a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0
euid=0
>suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net"
>exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023
>key=(null)
>______________________________________
>
>Summary:
>
>SELinux is preventing net (samba_net_t) "read" to ./filesystems
(proc_t).
>
>Detailed Description:
>SELinux denied access requested by net. It is not expected that this
>access is required by net and this access may signal an intrusion
attempt.
>It is also possible that the specific version or configuration of the
>application is causing it to require additional access.
>
>Allowing Access:
>Sometimes labeling problems can cause SELinux denials. You could try to
>restore the default system file context for ./filesystems,
>restorecon -v './filesystems'
>
>If this does not work, there is currently no automatic way to allow
this
>access. Instead, you can generate a local policy module to allow this
>access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-
>fc5/#id2961385) Or you can disable SELinux protection altogether.
>Disabling SELinux protection is not recommended. Please file a bug
report
>(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>Source Context root:system_r:samba_net_t:SystemLow-
>SystemHigh
>Target Context system_u:object_r:proc_t
>Target Objects ./filesystems [ file ]
>Source net
>Source Path /usr/bin/net
>Port <Unknown>
>Host <my-hostname>
>Source RPM Packages samba3-client-3.5.4-43.el5
>Target RPM Packages
>Policy RPM selinux-policy-2.4.6-137.el5
>Selinux Enabled True
>Policy Type targeted
>MLS Enabled True
>Enforcing Mode Enforcing
>Plugin Name catchall_file
>Host Name <my-hostname>
>Platform Linux <my-hostname> 2.6.18-92.el5 #1 SMP
Tue
>Apr 29 13:16:12 EDT 2008 i686 i686
>Alert Count 12
>First Seen Wed 21 Jul 2010 05:56:30 PM GMT
>Last Seen Wed 21 Jul 2010 06:08:39 PM GMT
>Local ID 1f71cc35-0ccc-4104-8c99-5158849a8cb1
>Line Numbers
>
>Raw Audit Messages
>host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc: denied
>{ read } for pid=7064 comm="net" name="filesystems" dev=proc ino=-
>268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023
>tcontext=system_u:object_r:proc_t:s0 tclass=file
>host=<my-hostname> type=SYSCALL msg=audit(1279735719.957:114):
>arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0
a3=8000
>items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0
>sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net"
>subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
>_____________________________________
Hi Alisha,
Your CentOS 5.2 SELinux policy is selinux-policy-2.4.6-137.el5, while
the CentOS 5.5 policy version is selinux-policy-devel-2.4.6-279.el5.
There have obviously been a lot of changes made. You're using SerNet's
latest Samba 3.5 build rather than CentOS' official 3.0.33. The SerNet
package was probably built to CentOS 5.4 or 5.5 specification, so you
could be running into issues from the older policy version. You may be
able to track down more details on the precise SELinux changes in the
CentOS or RedHat release notes.
Could you set up a test CentOS 5.5 server and try it on that?
Moray.
"To err is human. To purr, feline"
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
