10:14 a.m.
Hi,
Due to change management, for the moment at least we're stuck with RHEL 5.2. However,
I get the exact same errors when using the version of Samba (3.0.28) included with RHEL
5.2, so I doubt it's a version incompatibility.
It seems as if SELinux has got the idea that Samba-related anything is illegal and should
be blocked, but there's no way to tell it otherwise, since the Boolean switches,
restorecon, and relabeling don't work.
How can I fix SELinux so it stops blocking all Samba-related files, daemons, and pipes?
Regarding looking over the release notes, I haven't been able to find any SELinux
release notes, new policy releases/updates, or really anything centralized regarding
SELinux. The NSA page is no longer being updated, and it links to a Fedora Core web page
which has some information, but no downloadable updates or policies that I can find. The
Fedora Core page links to dozens of other apparently unofficial, or at least
non-SELinux-branded, sites, which offer lots of secondary tools for SELinux but no actual
policies or updates. Red Hat's support website has a single SELinux howto document
written for RHEL4, and no policies or updates, and I haven't been able to find
anyplace else that offers new/updated SELinux policies for download (except the occasional
unofficial link on mailing list archives or Bugzilla, neither of which sources is approved
by change management).
Does an official SELinux updates/policy page exist at all? If so, where can I find it?
Thanks!
-Alisha
-----Original Message-----
From: selinux-bounces(a)lists.fedoraproject.org
[mailto:selinux-bounces@lists.fedoraproject.org] On Behalf Of Moray Henderson
Sent: Thursday, July 22, 2010 1:40 AM
To: Kloc, Alisha; selinux(a)lists.fedoraproject.org
Subject: RE: SELinux, Samba, & Winbind
Kloc, Alisha wrote:
I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But
every time I try to do anything - join a domain, run a test join,
change configuration settings, basically anything that calls any object
related to Samba or Winbind - SELinux blocks it.
Disabling protection for the winbind daemon in the boolean settings
changes SELinux to blocking /var/run/winbindd/pipe instead. I've run
restorecon where possible, and done a full relabel of the whole system,
multiple times. Nothing changes. I haven't moved any system files and
I'm following the official Samba setup documentation.
I'm utterly at a loss. Something must be broken because I can't imagine
a default SELinux policy that blocks all Samba/Winbind activity would
have made it past RHEL5's quality control. But I can't figure out what it is.
Please help!
Thanks in advance,
-Alisha
_____________________________________
[root@myhost ~]# net ads testjoin
[2010/07/21 18:28:39.357159, 0]
libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: failed to create directory
/var/lib/samba/smb_krb5. Error was Permission denied
[2010/07/21 18:28:39.359054, 0]
libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: failed to create directory
/var/lib/samba/smb_krb5. Error was Permission denied Join is OK
_____________________________________
Summary:
SELinux is preventing the net from using potentially mislabeled files
(/tmp/.winbindd).
Detailed Description
SELinux has denied net access to potentially mislabeled file(s)
(/tmp/.winbindd). This means that SELinux will not allow net to use
these
files. It is common for users to edit files in their home directory or
tmp
directories and then move (mv) them to system directories. The problem
is
that the files end up with the wrong file context which confined
applications are not allowed to access.
Allowing Access
If you want net to access this files, you need to relabel them using
restorecon -v '/tmp/.winbindd'. You might want to relabel the entire
directory using restorecon -R -v '/tmp/.winbindd'.
Additional Information
Source Context: root:system_r:samba_net_t:SystemLow-SystemHighTarget
Context: system_u:object_r:winbind_tmp_t Target Objects:
/tmp/.winbindd [ dir ]
Source: net
Source Path: /usr/bin/net
Port: <Unknown>
Host: <my-hostname>
Source RPM Packages: samba3-client-3.5.4-43.el5 Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-137.el5 Selinux Enabled: True Policy
Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin
Name: home_tmp_bad_labels Host Name: <my-hostname>
Platform: Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12
EDT 2008 i686 i686 Alert Count: 24 First Seen: Wed 21 Jul 2010
05:56:30 PM GMT Last Seen: Wed 21 Jul 2010 06:08:40 PM GMT Local ID:
0c95a6b7-9a92-4950-bb1d-9b74686685ea
Line Numbers:
Raw Audit Messages :
host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied {
getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3
ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023
tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir
host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120):
arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c
a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0
euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="net"
exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023
key=(null)
______________________________________
Summary:
SELinux is preventing net (samba_net_t) "read" to ./filesystems
(proc_t).
Detailed Description:
SELinux denied access requested by net. It is not expected that this
access is required by net and this access may signal an intrusion
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ./filesystems, restorecon
-v './filesystems'
If this does not work, there is currently no automatic way to allow
this
access. Instead, you can generate a local policy module to allow this
access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-
fc5/#id2961385) Or you can disable SELinux protection altogether.
Disabling SELinux protection is not recommended. Please file a bug
report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:samba_net_t:SystemLow-
SystemHigh
Target Context system_u:object_r:proc_t
Target Objects ./filesystems [ file ]
Source net
Source Path /usr/bin/net
Port <Unknown>
Host <my-hostname>
Source RPM Packages samba3-client-3.5.4-43.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name <my-hostname>
Platform Linux <my-hostname> 2.6.18-92.el5 #1 SMP
Tue
Apr 29 13:16:12 EDT 2008 i686 i686
Alert Count 12
First Seen Wed 21 Jul 2010 05:56:30 PM GMT
Last Seen Wed 21 Jul 2010 06:08:39 PM GMT
Local ID 1f71cc35-0ccc-4104-8c99-5158849a8cb1
Line Numbers
Raw Audit Messages
host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc: denied
{ read } for pid=7064 comm="net" name="filesystems" dev=proc ino=-
268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=file host=<my-hostname>
type=SYSCALL msg=audit(1279735719.957:114):
arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0
a3=8000
items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0
sgid=0 fsgid=0 tty=pts1 ses=1 comm="net"
exe="/usr/bin/net"
subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
_____________________________________
Hi Alisha,
Your CentOS 5.2 SELinux policy is selinux-policy-2.4.6-137.el5, while the CentOS 5.5
policy version is selinux-policy-devel-2.4.6-279.el5.
There have obviously been a lot of changes made. You're using SerNet's latest
Samba 3.5 build rather than CentOS' official 3.0.33. The SerNet package was probably
built to CentOS 5.4 or 5.5 specification, so you could be running into issues from the
older policy version. You may be able to track down more details on the precise SELinux
changes in the CentOS or RedHat release notes.
Could you set up a test CentOS 5.5 server and try it on that?
Moray.
"To err is human. To purr, feline"
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux