Selinux does not allow samba
Henning Larsen
hennlar at start.no
Fri Feb 1 10:41:38 UTC 2008
On Fri, 2008-02-01 at 10:36 +1030, Tim wrote:
>What you allowed, I don't know. You didn't post that data.
>
>Reading the man file for semodule shows a "-r" remove module option.
>Give that a try.
>e.g. semodule -r mysamba.pp
semodule -r mysamba
That removed it
I got the alert back, here it is:
................
Summary
SELinux is preventing the samba daemon from serving r/o local files
to
remote clients.
Detailed Description
SELinux has preventing the samba daemon (smbd) from reading files on
the
local system. If you have not exported these file systems, this
could
signals an intrusion.
Allowing Access
If you want to export file systems using samba you need to turn on
the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
The following command will allow this access:
setsebool -P samba_export_all_ro=1
Additional Information
Source Context system_u:system_r:smbd_t:s0
Target Context system_u:object_r:fusefs_t:s0
Target Objects None [ dir ]
Affected RPM Packages samba-3.0.28-0.fc8 [application]
Policy RPM selinux-policy-3.0.8-81.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.samba_export_all_ro
Host Name venus.popper.homeunix.com
Platform Linux venus.popper.homeunix.com
2.6.23.14-107.fc8
#1 SMP Mon Jan 14 21:37:30 EST 2008 i686
i686
Alert Count 1
First Seen Fri 01 Feb 2008 11:34:17 AM CET
Last Seen Fri 01 Feb 2008 11:34:17 AM CET
Local ID 6ed95377-42e5-4309-8a8d-fb1b5e06edee
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=smbd dev=sdd1 egid=99 euid=99
exe=/usr/sbin/smbd
exit=-13 fsgid=99 fsuid=99 gid=0 items=0 name=Documents pid=3363
scontext=system_u:system_r:smbd_t:s0 sgid=0
subj=system_u:system_r:smbd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:fusefs_t:s0 tty=(none)
uid=99
..........
sealert tell me to do:
setsebool -P samba_export_all_ro=1
but it is already done, and have no effect.
Henning Larsen
More information about the fedora-list
mailing list