I've written up my workaround for getting mock to work under SELinux at: http://fedoraproject.org/wiki/Extras/MockTricks (the bottom half of the page). It'd be nice if some people more knowledgeable than myself would give it a once-over to make sure I'm not talking complete nonsense... :-)
Cheers, Paul.
I've migrated our samba server to FC5 and have selinux enforcing. I have the smbd_disable_trans boolean on. I just went to add a new PC to our domain and was not able to until I changed selinux to permissive. Below are the log messages.
Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.084:160): avc: denied { append } for pid=24952 comm="useradd" name="log.mslib2k10w" dev=dm-0 ino=8674237 scontext=root:system_r:useradd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.088:161): avc: denied { read } for pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.088:162): avc: denied { read write } for pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Apr 25 12:53:25 hssrv01 smbd[24950]: [2006/04/25 12:53:25.092274, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2404) Apr 25 12:53:25 hssrv01 smbd[24950]: _samr_create_user: Running the command `/usr/sbin/useradd -d /dev/null -g mac6068346148hines -c 'Machine Account' -s /bin/false -M mslib2k10w$' gave 1
Note that smbd invokes the useradd command.
How can I always leave enforcing on? Earlier, I sent an email indicating that the samba "net groupmap" command also is a problem with enforcing on.
Mark Orenstein East Granby, CT School System
On Wed, 26 Apr 2006 13:34:01 -0400, mroselinux wrote:
How can I always leave enforcing on?
You could create a local policy module to grant useradd the additional permisions.
1. Create a file t.log with the relevant avc messages. cat <<-EOF > t.log audit(1145984005.084:160): avc: denied { append } for pid=24952 comm="useradd" name="log.mslib2k10w" dev=dm-0 ino=8674237 scontext=root:system_r:useradd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file audit(1145984005.088:162): avc: denied { read write } for pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file EOF
2. Build a selinux policy module with audit2allow audit2allow -M local_samba_useradd -i t.log
3. Load the policy module into the kernel semodule -i local_samba_useradd.pp
4. If you want to keep this setting across reboot, I guess you'll have to put the "semodule -i" line into /etc/rc.d/rc.local ?
I'm a bit suspicious about why the "passwd" file was labeled "etc_runtime_t" in the first place.
See Also: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
Scott Tsai wrote:
On Wed, 26 Apr 2006 13:34:01 -0400, mroselinux wrote:
How can I always leave enforcing on?
You could create a local policy module to grant useradd the additional permisions.
- Create a file t.log with the relevant avc messages.
cat <<-EOF > t.log audit(1145984005.084:160): avc: denied { append } for pid=24952 comm="useradd" name="log.mslib2k10w" dev=dm-0 ino=8674237 scontext=root:system_r:useradd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file audit(1145984005.088:162): avc: denied { read write } for pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file EOF
Why is useradd appending to samba_log? This might be a bug in samba is leaking
- Build a selinux policy module with audit2allow
audit2allow -M local_samba_useradd -i t.log
- Load the policy module into the kernel
semodule -i local_samba_useradd.pp
- If you want to keep this setting across reboot,
I guess you'll have to put the "semodule -i" line into /etc/rc.d/rc.local ?
semodule changes are permanant. No need to semodule -i in /etc/rc.d/rc.local.
I'm a bit suspicious about why the "passwd" file was labeled "etc_runtime_t" in the first place.
See Also: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org