fc6 and samba

Daniel J Walsh dwalsh at redhat.com
Tue Mar 27 15:22:54 UTC 2007 

selinux at lucullo.it wrote:
> hi,
>
> my samba installation on fc6 has some problems due to
> selinux.
>
> this is the issue:
>
>
>
> --------------------------------------------------------
>
> Mar 27 16:14:11 francesca kernel: audit(1175004851.436:88):
> avc:  denied  { unlink } for  pid=3414 comm="winbindd"
> name="pipe" dev=hda3 ino=9886377
> scontext=root:system_r:winbind_t:s0 tcontext=syste
> m_u:object_r:samba_var_t:s0 tclass=sock_file
> Mar 27 16:14:11 francesca winbindd[3414]: [2007/03/27
> 16:14:11, 0] lib/util_sock.c:create_pipe_sock(1308)
> Mar 27 16:14:11 francesca winbindd[3414]:   bind failed on
> pipe socket /var/cache/samba/winbindd_privileged/pipe:
> Address already in use
> Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24,
> 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> Mar 27 16:14:24 francesca smbd[3420]:   get_md4pw:
> Workstation FRANCESCA$: no account in domain
> Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24,
> 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
> Mar 27 16:14:24 francesca smbd[3420]:   _net_auth2: failed
> to get machine password for account FRANCESCA$:
> NT_STATUS_ACCESS_DENIED
> Mar 27 16:14:29 francesca smbd[3421]: [2007/03/27 16:14:29,
> 0] passdb/pdb_interface.c:pdb_default_create_user(368)
> Mar 27 16:14:29 francesca kernel: audit(1175004869.820:89):
> avc:  denied  { search } for  pid=3422 comm="smbd"
> name="bin" dev=hda2 ino=928929
> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
> bject_r:bin_t:s0 tclass=dir
> Mar 27 16:14:29 francesca smbd[3421]:   _samr_create_user:
> Running the command `/usrbin/smbldap-useradd -w
> "francesca$"' gave 82
> Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34,
> 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> Mar 27 16:14:34 francesca smbd[3424]:   get_md4pw:
> Workstation FRANCESCA$: no account in domain
> Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34,
> 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
> Mar 27 16:14:34 francesca smbd[3424]:   _net_auth2: failed
> to get machine password for account FRANCESCA$:
> NT_STATUS_ACCESS_DENIED
> Mar 27 16:14:38 francesca kernel: audit(1175004878.895:90):
> avc:  denied  { search } for  pid=3426 comm="smbd"
> name="bin" dev=hda2 ino=928929
> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
> bject_r:bin_t:s0 tclass=dir
> Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 16:14:38,
> 0] passdb/pdb_interface.c:pdb_default_create_user(368)
> Mar 27 16:14:38 francesca smbd[3425]:   _samr_create_user:
> Running the command `/usrbin/smbldap-useradd -w
> "francesca$"' gave 82
> --------------------------------
>
>
> and this is the samba commands:
>
> [root at francesca ~]# ls -Zla /usr/bin/smb*
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> 2112904 Feb  7 23:54 /usr/bin/smbcacls
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> 1184704 Feb  7 23:54 /usr/bin/smbclient
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> 748868 Feb  7 23:54 /usr/bin/smbcontrol
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> 2002924 Feb  7 23:54 /usr/bin/smbcquotas
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root  
> 10240 Nov 21 17:21 /usr/bin/smbencrypt
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> 2080808 Feb  7 23:54 /usr/bin/smbget
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> 2006952 Feb  7 23:54 /usr/bin/smbpasswd
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root   
> 2295 Feb  7 23:53 /usr/bin/smbprint
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> 913140 Feb  7 23:54 /usr/bin/smbspool
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> 728000 Feb  7 23:54 /usr/bin/smbstatus
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root   
> 4896 Feb  7 23:53 /usr/bin/smbtar
> -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> 1093408 Feb  7 23:54 /usr/bin/smbtree
>
> how can i fix this problem?
>
> thank you in advance.
>
> vittorio
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   

Easiest thing to do is to create a loadable policy module and install 
it.  You can do this with the following commands.

audit2allow -i /var/log/audit/audit.log -M mysamba
semodule -i mysamba.pp

This will add the following two rules to policy

allow smbd_t bin_t:dir search;  # WHICH I HAVE ALREADY ADDED TO THE NEXT 
FC6 UPDATE.

#============= winbind_t ==============
allow winbind_t samba_var_t:sock_file unlink;  # THIS IS CAUSED BY A 
LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN THE NEXT UPDATE.

selinux-policy-2.4.6-48

More information about the fedora-selinux-list mailing list