On 10/11/16 10:07, Lukas Vrabec wrote:
On 11/09/2016 07:27 PM, lejeczek wrote:
hi everyone
I'm seeing there is some issues when one wants ctdb to
control Samba.
Do we have booleans or maybe somebody has a complete set
of rules?
I see (at least):
#============= ctdbd_t ==============
allow ctdbd_t cupsd_etc_t:dir getattr;
#!!!! This avc is allowed in the current policy
allow ctdbd_t kernel_t:system module_request;
allow ctdbd_t kmsg_device_t:chr_file { write open };
allow ctdbd_t samba_etc_t:lnk_file read;
allow ctdbd_t samba_spool_t:dir { getattr search };
#============= samba_net_t ==============
allow samba_net_t fusefs_t:file { read getattr open };
allow samba_net_t samba_etc_t:lnk_file read;
#============= smbd_t ==============
#!!!! This avc is allowed in the current policy
allow smbd_t cupsd_etc_t:dir { write create add_name };
#!!!! This avc is allowed in the current policy
allow smbd_t samba_etc_t:lnk_file read;
and I worry I am not missing some boolean.
thx.
L.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to
selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Could you describe what are you doing, when you catch
these AVC?
Could you also attach raw AVC msgs?
(/var/log/audit/audit.log)
What distro and version are you using?
Thanks,
Lukas.
hi Lukas
maybe I'll describe set of circumstances/settings (or maybe
just one setting) that should help you to reproduce this
selinux problem?
I'll start with - Centos 7.2 +
selinux-policy-targeted-3.13.1-60.el7_2.9.noarch and then
you want in your /etc/sysconfig/ctdb CTDB_MANAGES_SAMBA=yes
which means that ctdb would be managing smb daemons. - you
should see ctdb being unable to copy smb.conf (during
startup) and then to access cups and maybe some more.
regards
L.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
