On Fri, Jul 23, 2010 at 5:14 PM, Kloc, Alisha <Alisha.Kloc@xxxxxxxxxx> wrote: > Hi, > > Due to change management, for the moment at least we're stuck with RHEL 5.2. However, I get the exact same errors when using the version of Samba (3.0.28) included with RHEL 5.2, so I doubt it's a version incompatibility. > > It seems as if SELinux has got the idea that Samba-related anything is illegal and should be blocked, but there's no way to tell it otherwise, since the Boolean switches, restorecon, and relabeling don't work. > > How can I fix SELinux so it stops blocking all Samba-related files, daemons, and pipes? 2 possibility in RHEL 5 (i exclude the global setenforce 0 or disabling selinux): 1 - disable the samba domain transition setsebool -P smbd_disable_trans on setsebool -P winbind_disable_trans on setsebool -P nmbd_disable_trans on This is the preferred option, besides the possibility of some labelling and denial problem if some other confined domain need to talk with samba (example squid) 2 - label /etc/init.d/ so that init transition it to the unconfined_t domain chcon -t unconfined_exec_t /etc/init.d/winbind chcon -t unconfined_exec_t /etc/init.d/smb use semanage fscontext if you want to survive to a autorelabel 2 no survive to a rpm update hth 2 - > > Regarding looking over the release notes, I haven't been able to find any SELinux release notes, new policy releases/updates, or really anything centralized regarding SELinux. The NSA page is no longer being updated, and it links to a Fedora Core web page which has some information, but no downloadable updates or policies that I can find. The Fedora Core page links to dozens of other apparently unofficial, or at least non-SELinux-branded, sites, which offer lots of secondary tools for SELinux but no actual policies or updates. Red Hat's support website has a single SELinux howto document written for RHEL4, and no policies or updates, and I haven't been able to find anyplace else that offers new/updated SELinux policies for download (except the occasional unofficial link on mailing list archives or Bugzilla, neither of which sources is approved by change management). > > Does an official SELinux updates/policy page exist at all? If so, where can I find it? > > Thanks! > -Alisha > > > > > -----Original Message----- > From: selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Moray Henderson > Sent: Thursday, July 22, 2010 1:40 AM > To: Kloc, Alisha; selinux@xxxxxxxxxxxxxxxxxxxxxxx > Subject: RE: SELinux, Samba, & Winbind > > Kloc, Alisha wrote: >>I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But >>every time I try to do anything - join a domain, run a test join, >>change configuration settings, basically anything that calls any object >>related to Samba or Winbind - SELinux blocks it. >> >>Disabling protection for the winbind daemon in the boolean settings >>changes SELinux to blocking /var/run/winbindd/pipe instead. I've run >>restorecon where possible, and done a full relabel of the whole system, >>multiple times. Nothing changes. I haven't moved any system files and >>I'm following the official Samba setup documentation. >> >>I'm utterly at a loss. Something must be broken because I can't imagine >>a default SELinux policy that blocks all Samba/Winbind activity would >>have made it past RHEL5's quality control. But I can't figure out what it is. >> >>Please help! >> >>Thanks in advance, >>-Alisha >> >>_____________________________________ >> >>[root@myhost ~]# net ads testjoin >>[2010/07/21 18:28:39.357159, 0] >>libads/kerberos.c:915(create_local_private_krb5_conf_for_domain) >> create_local_private_krb5_conf_for_domain: failed to create directory >>/var/lib/samba/smb_krb5. Error was Permission denied >>[2010/07/21 18:28:39.359054, 0] >>libads/kerberos.c:915(create_local_private_krb5_conf_for_domain) >> create_local_private_krb5_conf_for_domain: failed to create directory >>/var/lib/samba/smb_krb5. Error was Permission denied Join is OK >>_____________________________________ >> >>Summary: >>SELinux is preventing the net from using potentially mislabeled files >>(/tmp/.winbindd). >> >>Detailed Description >>SELinux has denied net access to potentially mislabeled file(s) >>(/tmp/.winbindd). This means that SELinux will not allow net to use > these >>files. It is common for users to edit files in their home directory or > tmp >>directories and then move (mv) them to system directories. The problem > is >>that the files end up with the wrong file context which confined >>applications are not allowed to access. >> >>Allowing Access >>If you want net to access this files, you need to relabel them using >>restorecon -v '/tmp/.winbindd'. You might want to relabel the entire >>directory using restorecon -R -v '/tmp/.winbindd'. >> >>Additional Information >> >>Source Context: root:system_r:samba_net_t:SystemLow-SystemHighTarget >>Context: system_u:object_r:winbind_tmp_t Target Objects: >>/tmp/.winbindd [ dir ] >>Source: net >>Source Path: /usr/bin/net >>Port: <Unknown> >>Host: <my-hostname> >>Source RPM Packages: samba3-client-3.5.4-43.el5 Target RPM Packages: >>Policy RPM: selinux-policy-2.4.6-137.el5 Selinux Enabled: True Policy >>Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin >>Name: home_tmp_bad_labels Host Name: <my-hostname> >>Platform: Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 >>EDT 2008 i686 i686 Alert Count: 24 First Seen: Wed 21 Jul 2010 >>05:56:30 PM GMT Last Seen: Wed 21 Jul 2010 06:08:40 PM GMT Local ID: >>0c95a6b7-9a92-4950-bb1d-9b74686685ea >>Line Numbers: >>Raw Audit Messages : >>host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied { >>getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3 >>ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 >>tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir >>host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120): >>arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c >>a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 > euid=0 >>suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" >>exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 >>key=(null) >>______________________________________ >> >>Summary: >> >>SELinux is preventing net (samba_net_t) "read" to ./filesystems > (proc_t). >> >>Detailed Description: >>SELinux denied access requested by net. It is not expected that this >>access is required by net and this access may signal an intrusion > attempt. >>It is also possible that the specific version or configuration of the >>application is causing it to require additional access. >> >>Allowing Access: >>Sometimes labeling problems can cause SELinux denials. You could try to >>restore the default system file context for ./filesystems, restorecon >>-v './filesystems' >> >>If this does not work, there is currently no automatic way to allow > this >>access. Instead, you can generate a local policy module to allow this >>access - see FAQ (http://fedora.redhat.com/docs/selinux-faq- >>fc5/#id2961385) Or you can disable SELinux protection altogether. >>Disabling SELinux protection is not recommended. Please file a bug > report >>(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >>against this package. >> >>Additional Information: >>Source Context root:system_r:samba_net_t:SystemLow- >>SystemHigh >>Target Context system_u:object_r:proc_t >>Target Objects ./filesystems [ file ] >>Source net >>Source Path /usr/bin/net >>Port <Unknown> >>Host <my-hostname> >>Source RPM Packages samba3-client-3.5.4-43.el5 >>Target RPM Packages >>Policy RPM selinux-policy-2.4.6-137.el5 >>Selinux Enabled True >>Policy Type targeted >>MLS Enabled True >>Enforcing Mode Enforcing >>Plugin Name catchall_file >>Host Name <my-hostname> >>Platform Linux <my-hostname> 2.6.18-92.el5 #1 SMP > Tue >>Apr 29 13:16:12 EDT 2008 i686 i686 >>Alert Count 12 >>First Seen Wed 21 Jul 2010 05:56:30 PM GMT >>Last Seen Wed 21 Jul 2010 06:08:39 PM GMT >>Local ID 1f71cc35-0ccc-4104-8c99-5158849a8cb1 >>Line Numbers >> >>Raw Audit Messages >>host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc: denied >>{ read } for pid=7064 comm="net" name="filesystems" dev=proc ino=- >>268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 >>tcontext=system_u:object_r:proc_t:s0 tclass=file host=<my-hostname> >>type=SYSCALL msg=audit(1279735719.957:114): >>arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0 > a3=8000 >>items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 >>sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" >>subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) >>_____________________________________ > > > Hi Alisha, > > Your CentOS 5.2 SELinux policy is selinux-policy-2.4.6-137.el5, while the CentOS 5.5 policy version is selinux-policy-devel-2.4.6-279.el5. > There have obviously been a lot of changes made. You're using SerNet's latest Samba 3.5 build rather than CentOS' official 3.0.33. The SerNet package was probably built to CentOS 5.4 or 5.5 specification, so you could be running into issues from the older policy version. You may be able to track down more details on the precise SELinux changes in the CentOS or RedHat release notes. > > Could you set up a test CentOS 5.5 server and try it on that? > > > Moray. > "To err is human. To purr, feline" > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux