RE: SELinux, Samba, & Winbind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Due to change management, for the moment at least we're stuck with RHEL 5.2. However, I get the exact same errors when using the version of Samba (3.0.28) included with RHEL 5.2, so I doubt it's a version incompatibility. 

It seems as if SELinux has got the idea that Samba-related anything is illegal and should be blocked, but there's no way to tell it otherwise, since the Boolean switches, restorecon, and relabeling don't work.

How can I fix SELinux so it stops blocking all Samba-related files, daemons, and pipes?

Regarding looking over the release notes, I haven't been able to find any SELinux release notes, new policy releases/updates, or really anything centralized regarding SELinux. The NSA page is no longer being updated, and it links to a Fedora Core web page which has some information, but no downloadable updates or policies that I can find. The Fedora Core page links to dozens of other apparently unofficial, or at least non-SELinux-branded, sites, which offer lots of secondary tools for SELinux but no actual policies or updates. Red Hat's support website has a single SELinux howto document written for RHEL4, and no policies or updates, and I haven't been able to find anyplace else that offers new/updated SELinux policies for download (except the occasional unofficial link on mailing list archives or Bugzilla, neither of which sources is approved by change management). 

Does an official SELinux updates/policy page exist at all? If so, where can I find it?

Thanks!
-Alisha


 

-----Original Message-----
From: selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Moray Henderson
Sent: Thursday, July 22, 2010 1:40 AM
To: Kloc, Alisha; selinux@xxxxxxxxxxxxxxxxxxxxxxx
Subject: RE: SELinux, Samba, & Winbind

Kloc, Alisha wrote:
>I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But 
>every time I try to do anything - join a domain, run a test join, 
>change configuration settings, basically anything that calls any object 
>related to Samba or Winbind - SELinux blocks it.
>
>Disabling protection for the winbind daemon in the boolean settings 
>changes SELinux to blocking /var/run/winbindd/pipe instead. I've run 
>restorecon where possible, and done a full relabel of the whole system, 
>multiple times. Nothing changes. I haven't moved any system files and 
>I'm following the official Samba setup documentation.
>
>I'm utterly at a loss. Something must be broken because I can't imagine 
>a default SELinux policy that blocks all Samba/Winbind activity would 
>have made it past RHEL5's quality control. But I can't figure out what it is.
>
>Please help!
>
>Thanks in advance,
>-Alisha
>
>_____________________________________
>
>[root@myhost ~]# net ads testjoin
>[2010/07/21 18:28:39.357159,  0]
>libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
>  create_local_private_krb5_conf_for_domain: failed to create directory 
>/var/lib/samba/smb_krb5. Error was Permission denied
>[2010/07/21 18:28:39.359054,  0]
>libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
>  create_local_private_krb5_conf_for_domain: failed to create directory 
>/var/lib/samba/smb_krb5. Error was Permission denied Join is OK 
>_____________________________________
>
>Summary:
>SELinux is preventing the net from using potentially mislabeled files 
>(/tmp/.winbindd).
>
>Detailed Description
>SELinux has denied net access to potentially mislabeled file(s) 
>(/tmp/.winbindd). This means that SELinux will not allow net to use
these
>files. It is common for users to edit files in their home directory or
tmp
>directories and then move (mv) them to system directories. The problem
is
>that the files end up with the wrong file context which confined 
>applications are not allowed to access.
>
>Allowing Access
>If you want net to access this files, you need to relabel them using 
>restorecon -v '/tmp/.winbindd'. You might want to relabel the entire 
>directory using restorecon -R -v '/tmp/.winbindd'.
>
>Additional Information
>
>Source Context:  root:system_r:samba_net_t:SystemLow-SystemHighTarget
>Context:  system_u:object_r:winbind_tmp_t Target Objects:  
>/tmp/.winbindd [ dir ]
>Source:  net
>Source Path:  /usr/bin/net
>Port:  <Unknown>
>Host:  <my-hostname>
>Source RPM Packages:  samba3-client-3.5.4-43.el5 Target RPM Packages:
>Policy RPM:  selinux-policy-2.4.6-137.el5 Selinux Enabled:  True Policy
>Type:  targeted MLS Enabled:  True Enforcing Mode:  Enforcing Plugin
>Name:  home_tmp_bad_labels Host Name:  <my-hostname>
>Platform:  Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 
>EDT 2008 i686 i686 Alert Count:  24 First Seen:  Wed 21 Jul 2010 
>05:56:30 PM GMT Last Seen:  Wed 21 Jul 2010 06:08:40 PM GMT Local ID:
>0c95a6b7-9a92-4950-bb1d-9b74686685ea
>Line Numbers:
>Raw Audit Messages :
>host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied { 
>getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3
>ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023
>tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir 
>host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120):
>arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c
>a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0
euid=0
>suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net"
>exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023
>key=(null)
>______________________________________
>
>Summary:
>
>SELinux is preventing net (samba_net_t) "read" to ./filesystems
(proc_t).
>
>Detailed Description:
>SELinux denied access requested by net. It is not expected that this 
>access is required by net and this access may signal an intrusion
attempt.
>It is also possible that the specific version or configuration of the 
>application is causing it to require additional access.
>
>Allowing Access:
>Sometimes labeling problems can cause SELinux denials. You could try to 
>restore the default system file context for ./filesystems, restorecon 
>-v './filesystems'
>
>If this does not work, there is currently no automatic way to allow
this
>access. Instead, you can generate a local policy module to allow this 
>access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-
>fc5/#id2961385) Or you can disable SELinux protection altogether.
>Disabling SELinux protection is not recommended. Please file a bug
report
>(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>Source Context                root:system_r:samba_net_t:SystemLow-
>SystemHigh
>Target Context                system_u:object_r:proc_t
>Target Objects                ./filesystems [ file ]
>Source                        net
>Source Path                   /usr/bin/net
>Port                          <Unknown>
>Host                          <my-hostname>
>Source RPM Packages           samba3-client-3.5.4-43.el5
>Target RPM Packages
>Policy RPM                    selinux-policy-2.4.6-137.el5
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall_file
>Host Name                     <my-hostname>
>Platform                      Linux <my-hostname> 2.6.18-92.el5 #1 SMP
Tue
>Apr 29 13:16:12 EDT 2008 i686 i686
>Alert Count                   12
>First Seen                    Wed 21 Jul 2010 05:56:30 PM GMT
>Last Seen                     Wed 21 Jul 2010 06:08:39 PM GMT
>Local ID                      1f71cc35-0ccc-4104-8c99-5158849a8cb1
>Line Numbers
>
>Raw Audit Messages
>host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc:  denied 
>{ read } for  pid=7064 comm="net" name="filesystems" dev=proc ino=-
>268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023
>tcontext=system_u:object_r:proc_t:s0 tclass=file host=<my-hostname> 
>type=SYSCALL msg=audit(1279735719.957:114):
>arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0
a3=8000
>items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0
>sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net"
>subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) 
>_____________________________________


Hi Alisha,

Your CentOS 5.2 SELinux policy is selinux-policy-2.4.6-137.el5, while the CentOS 5.5 policy version is selinux-policy-devel-2.4.6-279.el5.
There have obviously been a lot of changes made.  You're using SerNet's latest Samba 3.5 build rather than CentOS' official 3.0.33.  The SerNet package was probably built to CentOS 5.4 or 5.5 specification, so you could be running into issues from the older policy version.  You may be able to track down more details on the precise SELinux changes in the CentOS or RedHat release notes.

Could you set up a test CentOS 5.5 server and try it on that?


Moray.
"To err is human.  To purr, feline"




--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux