Selinux breaks samba with no AVC's...

Tom Lisjac netdxr at
Tue Sep 27 20:44:35 UTC 2005

I'm trying to make samba shares available on a new FC4 server I've
just built that's running selinux-policy-targeted-1.27.1-2.1. I
relabelled after the update the other day, ran permissive until
everything worked, added the following to local.te and recompiled the
policy sources:

allow smbd_t home_root_t:dir { getattr search };
allow smbd_t httpd_sys_content_t:dir { getattr read remove_name search write };
allow smbd_t httpd_sys_content_t:file { getattr lock read unlink };
allow smbd_t samba_net_tmp_t:file { getattr read write };
allow smbd_t user_home_dir_t:dir { getattr read };
allow smbd_t user_home_t:dir getattr;
allow smbd_t user_home_t:file getattr;

When I switched to enforcing, I couldn't connect... and there were no
new AVC's. Switching back to permissive worked.

I've never seen this behavior before. In the past when enforcing,
there has always been an AVC to explain a denial of service. This time
there wasn't. Turning off selinux fixes the problem so there must be a

Disabling selinux seems to be my only alternative... but I'd rather
not. Any suggestions would be appreciated.


More information about the fedora-selinux-list mailing list