selinux(a)lucullo.it wrote:
thank you.. i will try right now...
...but i have a question about the ls -Z command:
can i change the security context of these files
/usr/bin/smb*
Yes but that will not necessarily fix your problem. If you chcon -t
bin_t, they will no longer transition and SELinux will not effect them.
But this could cause other applications that use winbind or samba some
problems.
that changing the policy rules instead?
thank you again
----- Original Message -----
Da : Daniel J Walsh <dwalsh(a)redhat.com>
A : "selinux(a)lucullo.it" <selinux(a)lucullo.it>
Cc: fedora-selinux-list(a)redhat.com
Oggetto : Re: fc6 and samba
Data : Tue, 27 Mar 2007 11:22:54 -0400
> selinux(a)lucullo.it wrote:
>
>> hi,
>>
>> my samba installation on fc6 has some problems due to
>> selinux.
>>
>> this is the issue:
>>
>>
>>
>> --------------------------------------------------------
>>
>> Mar 27 16:14:11 francesca kernel:
>> audit(1175004851.436:88): avc: denied { unlink } for
>> pid=3414 comm="winbindd" name="pipe" dev=hda3
>> ino=9886377 scontext=root:system_r:winbind_t:s0
>> tcontext=syste m_u:object_r:samba_var_t:s0
>> tclass=sock_file Mar 27 16:14:11 francesca
>> winbindd[3414]: [2007/03/27 16:14:11, 0]
>> lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11
>> francesca winbindd[3414]: bind failed on pipe socket
>> /var/cache/samba/winbindd_privileged/pipe: Address
>> already in use Mar 27 16:14:24 francesca smbd[3420]:
>> [2007/03/27 16:14:24, 0]
>> rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27
>> 16:14:24 francesca smbd[3420]: get_md4pw: Workstation
>> FRANCESCA$: no account in domain Mar 27 16:14:24
>> francesca smbd[3420]: [2007/03/27 16:14:24, 0]
>> rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27
>> 16:14:24 francesca smbd[3420]: _net_auth2: failed to
>> get machine password for account FRANCESCA$:
>> NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca
>> smbd[3421]: [2007/03/27 16:14:29, 0]
>> passdb/pdb_interface.c:pdb_default_create_user(368) Mar
>> 27 16:14:29 francesca kernel: audit(1175004869.820:89):
>> avc: denied { search } for pid=3422 comm="smbd"
>> name="bin" dev=hda2 ino=928929
>> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
>> bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca
>> smbd[3421]: _samr_create_user: Running the command
>> `/usrbin/smbldap-useradd -w "francesca$"' gave 82
>> Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
>> 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
>> Mar 27 16:14:34 francesca smbd[3424]: get_md4pw:
>> Workstation FRANCESCA$: no account in domain
>> Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27
>> 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
>> Mar 27 16:14:34 francesca smbd[3424]: _net_auth2:
>> failed to get machine password for account FRANCESCA$:
>> NT_STATUS_ACCESS_DENIED
>> Mar 27 16:14:38 francesca kernel:
>> audit(1175004878.895:90): avc: denied { search } for
>> pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929
>> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o
>> bject_r:bin_t:s0 tclass=dir
>> Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27
>> 16:14:38, 0]
>> passdb/pdb_interface.c:pdb_default_create_user(368) Mar
>> 27 16:14:38 francesca smbd[3425]: _samr_create_user:
>> Running the command `/usrbin/smbldap-useradd -w
>> "francesca$"' gave 82 --------------------------------
>>
>>
>> and this is the samba commands:
>>
>> [root@francesca ~]# ls -Zla /usr/bin/smb*
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 2112904 Feb 7 23:54 /usr/bin/smbcacls
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 1184704 Feb 7 23:54 /usr/bin/smbclient
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 748868 Feb 7 23:54 /usr/bin/smbcontrol
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 2002924 Feb 7 23:54 /usr/bin/smbcquotas
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 10240 Nov 21 17:21 /usr/bin/smbencrypt
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 2080808 Feb 7 23:54 /usr/bin/smbget
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 2006952 Feb 7 23:54 /usr/bin/smbpasswd
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 2295 Feb 7 23:53 /usr/bin/smbprint
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 913140 Feb 7 23:54 /usr/bin/smbspool
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 728000 Feb 7 23:54 /usr/bin/smbstatus
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 4896 Feb 7 23:53 /usr/bin/smbtar
>> -rwxr-xr-x 1 system_u:object_r:bin_t root root
>> 1093408 Feb 7 23:54 /usr/bin/smbtree
>>
>> how can i fix this problem?
>>
>> thank you in advance.
>>
>> vittorio
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>>
>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
> Easiest thing to do is to create a loadable policy module
> and install it. You can do this with the following
> commands.
>
> audit2allow -i /var/log/audit/audit.log -M mysamba
> semodule -i mysamba.pp
>
> This will add the following two rules to policy
>
> allow smbd_t bin_t:dir search; # WHICH I HAVE ALREADY
> ADDED TO THE NEXT FC6 UPDATE.
>
> #============= winbind_t ==============
> allow winbind_t samba_var_t:sock_file unlink; # THIS IS
> CAUSED BY A LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN
> THE NEXT UPDATE.
>
> selinux-policy-2.4.6-48
>
>
>
>
>
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list