SELinux, Samba, & Winbind
Kloc, Alisha
Alisha.Kloc at boeing.com
Fri Jul 23 20:39:26 UTC 2010
Hi,
Unfortunately, the method of disabling the domain transition doesn't work. As I mentioned earlier, we already tried enabling those booleans, and although the smb/nmd booleans seem to have no effect one way or the other (we continue to get the same block messages), disabling SELinux for the winbind boolean actually ends up making SELinux block the winbindd pipe, which is worse. We don't know why it does that, either.
As for the second option, what exactly does that do? My understanding of SELinux is rudimentary at best, but it looks like that command tells SELinux to allow Samba and Winbind to do anything with no interference. Is that correct?
Thanks,
-Alisha
-----Original Message-----
From: pinto.elia at gmail.com [mailto:pinto.elia at gmail.com] On Behalf Of yersinia
Sent: Friday, July 23, 2010 8:39 AM
To: Kloc, Alisha
Cc: selinux at lists.fedoraproject.org
Subject: Re: SELinux, Samba, & Winbind
On Fri, Jul 23, 2010 at 5:14 PM, Kloc, Alisha <Alisha.Kloc at boeing.com> wrote:
> Hi,
>
> Due to change management, for the moment at least we're stuck with RHEL 5.2. However, I get the exact same errors when using the version of Samba (3.0.28) included with RHEL 5.2, so I doubt it's a version incompatibility.
>
> It seems as if SELinux has got the idea that Samba-related anything is illegal and should be blocked, but there's no way to tell it otherwise, since the Boolean switches, restorecon, and relabeling don't work.
>
> How can I fix SELinux so it stops blocking all Samba-related files, daemons, and pipes?
2 possibility in RHEL 5 (i exclude the global setenforce 0 or disabling selinux):
1 - disable the samba domain transition
setsebool -P smbd_disable_trans on
setsebool -P winbind_disable_trans on
setsebool -P nmbd_disable_trans on
This is the preferred option, besides the possibility of some labelling and denial problem if some other confined domain need to talk with samba (example squid)
2 - label /etc/init.d/ so that init transition it to the unconfined_t domain
chcon -t unconfined_exec_t /etc/init.d/winbind chcon -t unconfined_exec_t /etc/init.d/smb
use semanage fscontext if you want to survive to a autorelabel
2 no survive to a rpm update
hth
2 -
>
> Regarding looking over the release notes, I haven't been able to find any SELinux release notes, new policy releases/updates, or really anything centralized regarding SELinux. The NSA page is no longer being updated, and it links to a Fedora Core web page which has some information, but no downloadable updates or policies that I can find. The Fedora Core page links to dozens of other apparently unofficial, or at least non-SELinux-branded, sites, which offer lots of secondary tools for SELinux but no actual policies or updates. Red Hat's support website has a single SELinux howto document written for RHEL4, and no policies or updates, and I haven't been able to find anyplace else that offers new/updated SELinux policies for download (except the occasional unofficial link on mailing list archives or Bugzilla, neither of which sources is approved by change management).
>
> Does an official SELinux updates/policy page exist at all? If so, where can I find it?
>
> Thanks!
> -Alisha
>
>
>
>
> -----Original Message-----
> From: selinux-bounces at lists.fedoraproject.org
> [mailto:selinux-bounces at lists.fedoraproject.org] On Behalf Of Moray
> Henderson
> Sent: Thursday, July 22, 2010 1:40 AM
> To: Kloc, Alisha; selinux at lists.fedoraproject.org
> Subject: RE: SELinux, Samba, & Winbind
>
> Kloc, Alisha wrote:
>>I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But
>>every time I try to do anything - join a domain, run a test join,
>>change configuration settings, basically anything that calls any
>>object related to Samba or Winbind - SELinux blocks it.
>>
>>Disabling protection for the winbind daemon in the boolean settings
>>changes SELinux to blocking /var/run/winbindd/pipe instead. I've run
>>restorecon where possible, and done a full relabel of the whole
>>system, multiple times. Nothing changes. I haven't moved any system
>>files and I'm following the official Samba setup documentation.
>>
>>I'm utterly at a loss. Something must be broken because I can't
>>imagine a default SELinux policy that blocks all Samba/Winbind
>>activity would have made it past RHEL5's quality control. But I can't figure out what it is.
>>
>>Please help!
>>
>>Thanks in advance,
>>-Alisha
>>
>>_____________________________________
>>
>>[root at myhost ~]# net ads testjoin
>>[2010/07/21 18:28:39.357159, 0]
>>libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
>> create_local_private_krb5_conf_for_domain: failed to create
>>directory /var/lib/samba/smb_krb5. Error was Permission denied
>>[2010/07/21 18:28:39.359054, 0]
>>libads/kerberos.c:915(create_local_private_krb5_conf_for_domain)
>> create_local_private_krb5_conf_for_domain: failed to create
>>directory /var/lib/samba/smb_krb5. Error was Permission denied Join is
>>OK _____________________________________
>>
>>Summary:
>>SELinux is preventing the net from using potentially mislabeled files
>>(/tmp/.winbindd).
>>
>>Detailed Description
>>SELinux has denied net access to potentially mislabeled file(s)
>>(/tmp/.winbindd). This means that SELinux will not allow net to use
> these
>>files. It is common for users to edit files in their home directory or
> tmp
>>directories and then move (mv) them to system directories. The problem
> is
>>that the files end up with the wrong file context which confined
>>applications are not allowed to access.
>>
>>Allowing Access
>>If you want net to access this files, you need to relabel them using
>>restorecon -v '/tmp/.winbindd'. You might want to relabel the entire
>>directory using restorecon -R -v '/tmp/.winbindd'.
>>
>>Additional Information
>>
>>Source Context: root:system_r:samba_net_t:SystemLow-SystemHighTarget
>>Context: system_u:object_r:winbind_tmp_t Target Objects:
>>/tmp/.winbindd [ dir ]
>>Source: net
>>Source Path: /usr/bin/net
>>Port: <Unknown>
>>Host: <my-hostname>
>>Source RPM Packages: samba3-client-3.5.4-43.el5 Target RPM Packages:
>>Policy RPM: selinux-policy-2.4.6-137.el5 Selinux Enabled: True
>>Policy
>>Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin
>>Name: home_tmp_bad_labels Host Name: <my-hostname>
>>Platform: Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29
>>13:16:12 EDT 2008 i686 i686 Alert Count: 24 First Seen: Wed 21 Jul
>>2010 05:56:30 PM GMT Last Seen: Wed 21 Jul 2010 06:08:40 PM GMT Local ID:
>>0c95a6b7-9a92-4950-bb1d-9b74686685ea
>>Line Numbers:
>>Raw Audit Messages :
>>host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied
>>{ getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3
>>ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023
>>tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir
>>host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120):
>>arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c
>>a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0
> euid=0
>>suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net"
>>exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023
>>key=(null)
>>______________________________________
>>
>>Summary:
>>
>>SELinux is preventing net (samba_net_t) "read" to ./filesystems
> (proc_t).
>>
>>Detailed Description:
>>SELinux denied access requested by net. It is not expected that this
>>access is required by net and this access may signal an intrusion
> attempt.
>>It is also possible that the specific version or configuration of the
>>application is causing it to require additional access.
>>
>>Allowing Access:
>>Sometimes labeling problems can cause SELinux denials. You could try
>>to restore the default system file context for ./filesystems,
>>restorecon -v './filesystems'
>>
>>If this does not work, there is currently no automatic way to allow
> this
>>access. Instead, you can generate a local policy module to allow this
>>access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-
>>fc5/#id2961385) Or you can disable SELinux protection altogether.
>>Disabling SELinux protection is not recommended. Please file a bug
> report
>>(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>against this package.
>>
>>Additional Information:
>>Source Context root:system_r:samba_net_t:SystemLow-
>>SystemHigh
>>Target Context system_u:object_r:proc_t Target Objects
>>./filesystems [ file ] Source net Source Path
>>/usr/bin/net Port <Unknown> Host
>><my-hostname> Source RPM Packages samba3-client-3.5.4-43.el5
>>Target RPM Packages Policy RPM
>>selinux-policy-2.4.6-137.el5 Selinux Enabled True Policy
>>Type targeted MLS Enabled True
>>Enforcing Mode Enforcing Plugin Name
>>catchall_file Host Name <my-hostname> Platform
>>Linux <my-hostname> 2.6.18-92.el5 #1 SMP
> Tue
>>Apr 29 13:16:12 EDT 2008 i686 i686
>>Alert Count 12
>>First Seen Wed 21 Jul 2010 05:56:30 PM GMT Last
>>Seen Wed 21 Jul 2010 06:08:39 PM GMT Local ID
>>1f71cc35-0ccc-4104-8c99-5158849a8cb1
>>Line Numbers
>>
>>Raw Audit Messages
>>host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc:
>>denied { read } for pid=7064 comm="net" name="filesystems" dev=proc
>>ino=-
>>268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023
>>tcontext=system_u:object_r:proc_t:s0 tclass=file host=<my-hostname>
>>type=SYSCALL msg=audit(1279735719.957:114):
>>arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0
> a3=8000
>>items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0
>>sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net"
>>subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)
>>_____________________________________
>
>
> Hi Alisha,
>
> Your CentOS 5.2 SELinux policy is selinux-policy-2.4.6-137.el5, while the CentOS 5.5 policy version is selinux-policy-devel-2.4.6-279.el5.
> There have obviously been a lot of changes made. You're using SerNet's latest Samba 3.5 build rather than CentOS' official 3.0.33. The SerNet package was probably built to CentOS 5.4 or 5.5 specification, so you could be running into issues from the older policy version. You may be able to track down more details on the precise SELinux changes in the CentOS or RedHat release notes.
>
> Could you set up a test CentOS 5.5 server and try it on that?
>
>
> Moray.
> "To err is human. To purr, feline"
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
More information about the selinux
mailing list