Samba won't dance [Solved - sort of - NOT] Selinux related???
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 21 19:37:55 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Claude Jones wrote:
> On Thu April 17 2008, Claude Jones wrote:
>> I can't declare victory. I am now networked,
>
> I now know how to break it. Just declare victory. It doesn't have to be total;
> victory declarations, qualified, with reservations, with lots of
> uselessmumbling, etc...work, too!
>
> Just switched over to an XP box that had been reliably browsing my Fedora box
> for the past hour, and got a "can't find" error. Turned off the firewall on
> Fedora, went back to the XP machine, and the connection is restored... WTF??
>
> I doubt this is relevant, but here are the relevant entries in iptables:
>
> Chain INBOUND (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- 192.168.2.0/24 anywhere
> ACCEPT all -- 192.168.2.1 anywhere
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> ACCEPT udp -- anywhere anywhere udp dpt:ssh
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:6881:6889
> ACCEPT udp -- anywhere anywhere udp
> dpts:6881:6889
> ACCEPT tcp -- anywhere anywhere tcp dpt:35986
> ACCEPT udp -- anywhere anywhere udp dpt:35986
> ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ipp
> ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:ipp
> ACCEPT tcp -- 192.168.2.0/24 anywhere tcp
> dpts:netbios-ns:netbios-ssn
> ACCEPT udp -- 192.168.2.0/24 anywhere udp
> dpts:netbios-ns:netbios-ssn
> ACCEPT tcp -- 192.168.2.0/24 anywhere tcp
> dpt:microsoft-ds
> ACCEPT udp -- 192.168.2.0/24 anywhere udp
> dpt:microsoft-ds
> ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:sunrpc
> ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:sunrpc
> ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:nfs
> ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:nfs
> ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:domain
> ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> LSI all -- anywhere anywhere
> ***************************************
> I know there are issues in there, but, the main point is, why did it suddenly
> go dark? Why did it work for a couple of hours this am, and all night, then
> suddenly lose it?
> ***************************************
> and there's the Samba and Selinux issue - I'm getting tons of these:
>
>
> Summary:
>
> SELinux is preventing smbd (smbd_t) "getattr" to /dev/sde1
> (fixed_disk_device_t).
>
> Detailed Description:
>
> SELinux denied access requested by smbd. It is not expected that this access
> is
> required by smbd and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for /dev/sde1,
>
> restorecon -v '/dev/sde1'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:smbd_t
> Target Context system_u:object_r:fixed_disk_device_t
> Target Objects /dev/sde1 [ blk_file ]
> Source smbd
> Source Path /usr/sbin/smbd
> Port <Unknown>
> Host tehogee1
> Source RPM Packages samba-3.0.28a-0.fc8
> Target RPM Packages
> Policy RPM selinux-policy-3.0.8-98.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name tehogee1
> Platform Linux tehogee1 2.6.24.4-64.fc8 #1 SMP Sat Mar 29
> 09:54:46 EDT 2008 i686 i686
> Alert Count 3
> First Seen Wed 16 Apr 2008 08:39:18 AM EDT
> Last Seen Wed 16 Apr 2008 08:43:18 AM EDT
> Local ID 83d6b661-2e3b-482a-ada7-ca94aa1f5eb6
> Line Numbers
>
> Raw Audit Messages
>
> host=tehogee1 type=AVC msg=audit(1208349798.310:1590): avc: denied {
> getattr } for pid=32296 comm="smbd" path="/dev/sde1" dev=tmpfs ino=323202
> scontext=unconfined_u:system_r:smbd_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>
> host=tehogee1 type=SYSCALL msg=audit(1208349798.310:1590): arch=40000003
> syscall=195 success=no exit=-13 a0=bfd7a694 a1=bfd79e14 a2=4c5ff4 a3=bfd79e14
> items=0 ppid=31287 pid=32296 auid=500 uid=99 gid=0 euid=99 suid=0 fsuid=99
> egid=99 sgid=0 fsgid=99 tty=(none) comm="smbd" exe="/usr/sbin/smbd"
> subj=unconfined_u:system_r:smbd_t:s0 key=(null)
>
> ********************************************
> or even more germane, this:
>
>
> Summary:
>
> SELinux is preventing the samba daemon from serving r/o local files to remote
> clients.
>
> Detailed Description:
>
> SELinux has preventing the samba daemon (smbd) from reading files on the local
> system. If you have not exported these file systems, this could signals an
> intrusion.
>
> Allowing Access:
>
> If you want to export file systems using samba you need to turn on the
> samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
>
> The following command will allow this access:
>
> setsebool -P samba_export_all_ro=1
>
> Additional Information:
>
> Source Context system_u:system_r:smbd_t
> Target Context system_u:object_r:var_t
> Target Objects ./srv [ dir ]
> Source smbd
> Source Path /usr/sbin/smbd
> Port <Unknown>
> Host tehogee1
> Source RPM Packages samba-3.0.28a-0.fc8
> Target RPM Packages filesystem-2.4.11-1.fc8
> Policy RPM selinux-policy-3.0.8-98.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name samba_export_all_ro
> Host Name tehogee1
> Platform Linux tehogee1 2.6.24.4-64.fc8 #1 SMP Sat Mar 29
> 09:54:46 EDT 2008 i686 i686
> Alert Count 8
> First Seen Wed 16 Apr 2008 10:06:11 PM EDT
> Last Seen Wed 16 Apr 2008 10:06:15 PM EDT
> Local ID dd8cb0d1-fac0-495c-89e6-c115d60ad66f
> Line Numbers
>
> Raw Audit Messages
>
> host=tehogee1 type=AVC msg=audit(1208397975.959:367): avc: denied { read }
> for pid=28749 comm="smbd" name="srv" dev=sda3 ino=26312705
> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
> host=tehogee1 type=SYSCALL msg=audit(1208397975.959:367): arch=40000003
> syscall=5 success=no exit=-13 a0=b864d098 a1=98800 a2=bf9291fc a3=b86651c8
> items=0 ppid=3353 pid=28749 auid=4294967295 uid=99 gid=0 euid=99 suid=0
> fsuid=99 egid=99 sgid=0 fsgid=99 tty=(none) comm="smbd" exe="/usr/sbin/smbd"
> subj=system_u:system_r:smbd_t:s0 key=(null)
>
> *********************************************
>
> I have run the suggested command to fix the last, but to no avail.
>
>
>
>
For the SELinux issue.
You need to turn on a boolean
either
samba_export_all_ro or
samba_export_all_rw
setsebool -P samba_export_all_ro=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgM7RIACgkQrlYvE4MpobPbMQCeJPG7k7csSIyOpLyRA3EQZN7G
03wAoI8xrpaC6YXtq7KZ/ykg6wC3PO4/
=5t/+
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list