thank you.. i will try right now...
...but i have a question about the ls -Z command:
can i change the security context of these files
/usr/bin/smb*
that changing the policy rules instead?
thank you again
----- Original Message ----- Da : Daniel J Walsh dwalsh@redhat.com A : "selinux@lucullo.it" selinux@lucullo.it Cc: fedora-selinux-list@redhat.com Oggetto : Re: fc6 and samba Data : Tue, 27 Mar 2007 11:22:54 -0400
selinux@lucullo.it wrote:
hi,
my samba installation on fc6 has some problems due to selinux.
this is the issue:
Mar 27 16:14:11 francesca kernel: audit(1175004851.436:88): avc: denied { unlink } for pid=3414 comm="winbindd" name="pipe" dev=hda3 ino=9886377 scontext=root:system_r:winbind_t:s0 tcontext=syste m_u:object_r:samba_var_t:s0 tclass=sock_file Mar 27 16:14:11 francesca winbindd[3414]: [2007/03/27 16:14:11, 0] lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11 francesca winbindd[3414]: bind failed on pipe socket /var/cache/samba/winbindd_privileged/pipe: Address already in use Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27 16:14:24 francesca smbd[3420]: get_md4pw: Workstation FRANCESCA$: no account in domain Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27 16:14:24 francesca smbd[3420]: _net_auth2: failed to get machine password for account FRANCESCA$: NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca smbd[3421]: [2007/03/27 16:14:29, 0] passdb/pdb_interface.c:pdb_default_create_user(368) Mar 27 16:14:29 francesca kernel: audit(1175004869.820:89): avc: denied { search } for pid=3422 comm="smbd" name="bin" dev=hda2 ino=928929 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca smbd[3421]: _samr_create_user: Running the command `/usrbin/smbldap-useradd -w "francesca$"' gave 82 Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27 16:14:34 francesca smbd[3424]: get_md4pw: Workstation FRANCESCA$: no account in domain Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27 16:14:34 francesca smbd[3424]: _net_auth2: failed to get machine password for account FRANCESCA$: NT_STATUS_ACCESS_DENIED Mar 27 16:14:38 francesca kernel: audit(1175004878.895:90): avc: denied { search } for pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o bject_r:bin_t:s0 tclass=dir Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 16:14:38, 0] passdb/pdb_interface.c:pdb_default_create_user(368) Mar 27 16:14:38 francesca smbd[3425]: _samr_create_user: Running the command `/usrbin/smbldap-useradd -w "francesca$"' gave 82 --------------------------------
and this is the samba commands:
[root@francesca ~]# ls -Zla /usr/bin/smb* -rwxr-xr-x 1 system_u:object_r:bin_t root root 2112904 Feb 7 23:54 /usr/bin/smbcacls -rwxr-xr-x 1 system_u:object_r:bin_t root root 1184704 Feb 7 23:54 /usr/bin/smbclient -rwxr-xr-x 1 system_u:object_r:bin_t root root 748868 Feb 7 23:54 /usr/bin/smbcontrol -rwxr-xr-x 1 system_u:object_r:bin_t root root 2002924 Feb 7 23:54 /usr/bin/smbcquotas -rwxr-xr-x 1 system_u:object_r:bin_t root root 10240 Nov 21 17:21 /usr/bin/smbencrypt -rwxr-xr-x 1 system_u:object_r:bin_t root root 2080808 Feb 7 23:54 /usr/bin/smbget -rwxr-xr-x 1 system_u:object_r:bin_t root root 2006952 Feb 7 23:54 /usr/bin/smbpasswd -rwxr-xr-x 1 system_u:object_r:bin_t root root 2295 Feb 7 23:53 /usr/bin/smbprint -rwxr-xr-x 1 system_u:object_r:bin_t root root 913140 Feb 7 23:54 /usr/bin/smbspool -rwxr-xr-x 1 system_u:object_r:bin_t root root 728000 Feb 7 23:54 /usr/bin/smbstatus -rwxr-xr-x 1 system_u:object_r:bin_t root root 4896 Feb 7 23:53 /usr/bin/smbtar -rwxr-xr-x 1 system_u:object_r:bin_t root root 1093408 Feb 7 23:54 /usr/bin/smbtree
how can i fix this problem?
thank you in advance.
vittorio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Easiest thing to do is to create a loadable policy module and install it. You can do this with the following commands.
audit2allow -i /var/log/audit/audit.log -M mysamba semodule -i mysamba.pp
This will add the following two rules to policy
allow smbd_t bin_t:dir search; # WHICH I HAVE ALREADY ADDED TO THE NEXT FC6 UPDATE.
#============= winbind_t ============== allow winbind_t samba_var_t:sock_file unlink; # THIS IS CAUSED BY A LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN THE NEXT UPDATE.
selinux-policy-2.4.6-48
selinux@lucullo.it wrote:
thank you.. i will try right now...
...but i have a question about the ls -Z command:
can i change the security context of these files
/usr/bin/smb*
Yes but that will not necessarily fix your problem. If you chcon -t bin_t, they will no longer transition and SELinux will not effect them. But this could cause other applications that use winbind or samba some problems.
that changing the policy rules instead?
thank you again
----- Original Message ----- Da : Daniel J Walsh dwalsh@redhat.com A : "selinux@lucullo.it" selinux@lucullo.it Cc: fedora-selinux-list@redhat.com Oggetto : Re: fc6 and samba Data : Tue, 27 Mar 2007 11:22:54 -0400
selinux@lucullo.it wrote:
hi,
my samba installation on fc6 has some problems due to selinux.
this is the issue:
Mar 27 16:14:11 francesca kernel: audit(1175004851.436:88): avc: denied { unlink } for pid=3414 comm="winbindd" name="pipe" dev=hda3 ino=9886377 scontext=root:system_r:winbind_t:s0 tcontext=syste m_u:object_r:samba_var_t:s0 tclass=sock_file Mar 27 16:14:11 francesca winbindd[3414]: [2007/03/27 16:14:11, 0] lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11 francesca winbindd[3414]: bind failed on pipe socket /var/cache/samba/winbindd_privileged/pipe: Address already in use Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27 16:14:24 francesca smbd[3420]: get_md4pw: Workstation FRANCESCA$: no account in domain Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27 16:14:24 francesca smbd[3420]: _net_auth2: failed to get machine password for account FRANCESCA$: NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca smbd[3421]: [2007/03/27 16:14:29, 0] passdb/pdb_interface.c:pdb_default_create_user(368) Mar 27 16:14:29 francesca kernel: audit(1175004869.820:89): avc: denied { search } for pid=3422 comm="smbd" name="bin" dev=hda2 ino=928929 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca smbd[3421]: _samr_create_user: Running the command `/usrbin/smbldap-useradd -w "francesca$"' gave 82 Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27 16:14:34 francesca smbd[3424]: get_md4pw: Workstation FRANCESCA$: no account in domain Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27 16:14:34 francesca smbd[3424]: _net_auth2: failed to get machine password for account FRANCESCA$: NT_STATUS_ACCESS_DENIED Mar 27 16:14:38 francesca kernel: audit(1175004878.895:90): avc: denied { search } for pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o bject_r:bin_t:s0 tclass=dir Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 16:14:38, 0] passdb/pdb_interface.c:pdb_default_create_user(368) Mar 27 16:14:38 francesca smbd[3425]: _samr_create_user: Running the command `/usrbin/smbldap-useradd -w "francesca$"' gave 82 --------------------------------
and this is the samba commands:
[root@francesca ~]# ls -Zla /usr/bin/smb* -rwxr-xr-x 1 system_u:object_r:bin_t root root 2112904 Feb 7 23:54 /usr/bin/smbcacls -rwxr-xr-x 1 system_u:object_r:bin_t root root 1184704 Feb 7 23:54 /usr/bin/smbclient -rwxr-xr-x 1 system_u:object_r:bin_t root root 748868 Feb 7 23:54 /usr/bin/smbcontrol -rwxr-xr-x 1 system_u:object_r:bin_t root root 2002924 Feb 7 23:54 /usr/bin/smbcquotas -rwxr-xr-x 1 system_u:object_r:bin_t root root 10240 Nov 21 17:21 /usr/bin/smbencrypt -rwxr-xr-x 1 system_u:object_r:bin_t root root 2080808 Feb 7 23:54 /usr/bin/smbget -rwxr-xr-x 1 system_u:object_r:bin_t root root 2006952 Feb 7 23:54 /usr/bin/smbpasswd -rwxr-xr-x 1 system_u:object_r:bin_t root root 2295 Feb 7 23:53 /usr/bin/smbprint -rwxr-xr-x 1 system_u:object_r:bin_t root root 913140 Feb 7 23:54 /usr/bin/smbspool -rwxr-xr-x 1 system_u:object_r:bin_t root root 728000 Feb 7 23:54 /usr/bin/smbstatus -rwxr-xr-x 1 system_u:object_r:bin_t root root 4896 Feb 7 23:53 /usr/bin/smbtar -rwxr-xr-x 1 system_u:object_r:bin_t root root 1093408 Feb 7 23:54 /usr/bin/smbtree
how can i fix this problem?
thank you in advance.
vittorio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Easiest thing to do is to create a loadable policy module and install it. You can do this with the following commands.
audit2allow -i /var/log/audit/audit.log -M mysamba semodule -i mysamba.pp
This will add the following two rules to policy
allow smbd_t bin_t:dir search; # WHICH I HAVE ALREADY ADDED TO THE NEXT FC6 UPDATE.
#============= winbind_t ============== allow winbind_t samba_var_t:sock_file unlink; # THIS IS CAUSED BY A LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN THE NEXT UPDATE.
selinux-policy-2.4.6-48
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org