On 11/10/2016 11:18 AM, lejeczek wrote:
>
>
> On 10/11/16 10:07, Lukas Vrabec wrote:
>> On 11/09/2016 07:27 PM, lejeczek wrote:
>>> hi everyone
>>>
>>> I'm seeing there is some issues when one wants ctdb to control Samba.
>>> Do we have booleans or maybe somebody has a complete set of rules?
>>>
>>> I see (at least):
>>>
>>> #============= ctdbd_t ==============
>>> allow ctdbd_t cupsd_etc_t:dir getattr;
>>>
>>> #!!!! This avc is allowed in the current policy
>>> allow ctdbd_t kernel_t:system module_request;
>>> allow ctdbd_t kmsg_device_t:chr_file { write open };
>>> allow ctdbd_t samba_etc_t:lnk_file read;
>>> allow ctdbd_t samba_spool_t:dir { getattr search };
>>>
>>> #============= samba_net_t ==============
>>> allow samba_net_t fusefs_t:file { read getattr open };
>>> allow samba_net_t samba_etc_t:lnk_file read;
>>>
>>> #============= smbd_t ==============
>>>
>>> #!!!! This avc is allowed in the current policy
>>> allow smbd_t cupsd_etc_t:dir { write create add_name };
>>>
>>> #!!!! This avc is allowed in the current policy
>>> allow smbd_t samba_etc_t:lnk_file read;
>>>
>>> and I worry I am not missing some boolean.
>>> thx.
>>> L.
>>>
>>> _______________________________________________
>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>
>> Hi,
>>
>> Could you describe what are you doing, when you catch these AVC?
>> Could you also attach raw AVC msgs? (/var/log/audit/audit.log)
>> What distro and version are you using?
>>
>> Thanks,
>> Lukas.
> hi Lukas
> maybe I'll describe set of circumstances/settings (or maybe just one
> setting) that should help you to reproduce this selinux problem?
> I'll start with - Centos 7.2 +
> selinux-policy-targeted-3.13.1-60.el7_2.9.noarch and then you want in
> your /etc/sysconfig/ctdb CTDB_MANAGES_SAMBA=yes which means that ctdb
> would be managing smb daemons. - you should see ctdb being unable to
> copy smb.conf (during startup) and then to access cups and maybe some more.
Ok it makes sense to have these rules in the distribution policy. Could
you open a new Fedora bug for these AVCs?
Thank you.
>
> regards
> L.
>
>>
>>
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
