fc6 and samba

selinux at lucullo.it selinux at lucullo.it
Tue Mar 27 16:51:34 UTC 2007 

thank you.. i will try right now...

...but i have a question about the ls -Z command:

can i change the security context of these files 

/usr/bin/smb*


that changing the policy rules instead?

thank you again


----- Original Message -----
Da : Daniel J Walsh <dwalsh at redhat.com>
A : "selinux at lucullo.it" <selinux at lucullo.it>
Cc: fedora-selinux-list at redhat.com
Oggetto : Re: fc6 and samba
Data : Tue, 27 Mar 2007 11:22:54 -0400

> selinux at lucullo.it wrote:
> > hi,
> >
> > my samba installation on fc6 has some problems due to
> > selinux.
> >
> > this is the issue:
> >
> >
> >
> > --------------------------------------------------------
> >
> > Mar 27 16:14:11 francesca kernel:
> > audit(1175004851.436:88): avc:  denied  { unlink } for 
> > pid=3414 comm="winbindd" name="pipe" dev=hda3
> > ino=9886377 scontext=root:system_r:winbind_t:s0
> > tcontext=syste m_u:object_r:samba_var_t:s0
> > tclass=sock_file Mar 27 16:14:11 francesca
> > winbindd[3414]: [2007/03/27 16:14:11, 0]
> > lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11
> > francesca winbindd[3414]:   bind failed on pipe socket
> > /var/cache/samba/winbindd_privileged/pipe: Address
> > already in use Mar 27 16:14:24 francesca smbd[3420]:
> > [2007/03/27 16:14:24, 0]
> > rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27
> > 16:14:24 francesca smbd[3420]:   get_md4pw: Workstation
> > FRANCESCA$: no account in domain Mar 27 16:14:24
> > francesca smbd[3420]: [2007/03/27 16:14:24, 0]
> > rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27
> > 16:14:24 francesca smbd[3420]:   _net_auth2: failed to
> > get machine password for account FRANCESCA$:
> > NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca
> > smbd[3421]: [2007/03/27 16:14:29, 0]
> > passdb/pdb_interface.c:pdb_default_create_user(368) Mar
> > 27 16:14:29 francesca kernel: audit(1175004869.820:89):
> > avc:  denied  { search } for  pid=3422 comm="smbd"
> > name="bin" dev=hda2 ino=928929
> > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
> > bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca
> > smbd[3421]:   _samr_create_user: Running the command
> > `/usrbin/smbldap-useradd -w "francesca$"' gave 82
> > Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
> > 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> > Mar 27 16:14:34 francesca smbd[3424]:   get_md4pw:
> > Workstation FRANCESCA$: no account in domain
> > Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
> > 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
> > Mar 27 16:14:34 francesca smbd[3424]:   _net_auth2:
> > failed to get machine password for account FRANCESCA$:
> > NT_STATUS_ACCESS_DENIED
> > Mar 27 16:14:38 francesca kernel:
> > audit(1175004878.895:90): avc:  denied  { search } for 
> > pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929
> > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
> > bject_r:bin_t:s0 tclass=dir
> > Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27
> > 16:14:38, 0]
> > passdb/pdb_interface.c:pdb_default_create_user(368) Mar
> > 27 16:14:38 francesca smbd[3425]:   _samr_create_user:
> > Running the command `/usrbin/smbldap-useradd -w
> > "francesca$"' gave 82 --------------------------------
> >
> >
> > and this is the samba commands:
> >
> > [root at francesca ~]# ls -Zla /usr/bin/smb*
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> > 2112904 Feb  7 23:54 /usr/bin/smbcacls
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> > 1184704 Feb  7 23:54 /usr/bin/smbclient
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> > 748868 Feb  7 23:54 /usr/bin/smbcontrol
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> > 2002924 Feb  7 23:54 /usr/bin/smbcquotas
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> > 10240 Nov 21 17:21 /usr/bin/smbencrypt
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> > 2080808 Feb  7 23:54 /usr/bin/smbget
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> > 2006952 Feb  7 23:54 /usr/bin/smbpasswd
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> >   2295 Feb  7 23:53 /usr/bin/smbprint
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> > 913140 Feb  7 23:54 /usr/bin/smbspool
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> > 728000 Feb  7 23:54 /usr/bin/smbstatus
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root 
> >   4896 Feb  7 23:53 /usr/bin/smbtar
> > -rwxr-xr-x 1 system_u:object_r:bin_t          root root
> > 1093408 Feb  7 23:54 /usr/bin/smbtree
> >
> > how can i fix this problem?
> >
> > thank you in advance.
> >
> > vittorio
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> >
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >   
> 
> Easiest thing to do is to create a loadable policy module
> and install  it.  You can do this with the following
> commands.
> 
> audit2allow -i /var/log/audit/audit.log -M mysamba
> semodule -i mysamba.pp
> 
> This will add the following two rules to policy
> 
> allow smbd_t bin_t:dir search;  # WHICH I HAVE ALREADY
> ADDED TO THE NEXT  FC6 UPDATE.
> 
> #============= winbind_t ==============
> allow winbind_t samba_var_t:sock_file unlink;  # THIS IS
> CAUSED BY A  LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN
> THE NEXT UPDATE.
> 
> selinux-policy-2.4.6-48
> 
> 
> 
> 
> 
>

More information about the fedora-selinux-list mailing list