hi everyone
I'm seeing there is some issues when one wants ctdb to control Samba. Do we have booleans or maybe somebody has a complete set of rules?
I see (at least):
#============= ctdbd_t ============== allow ctdbd_t cupsd_etc_t:dir getattr;
#!!!! This avc is allowed in the current policy allow ctdbd_t kernel_t:system module_request; allow ctdbd_t kmsg_device_t:chr_file { write open }; allow ctdbd_t samba_etc_t:lnk_file read; allow ctdbd_t samba_spool_t:dir { getattr search };
#============= samba_net_t ============== allow samba_net_t fusefs_t:file { read getattr open }; allow samba_net_t samba_etc_t:lnk_file read;
#============= smbd_t ==============
#!!!! This avc is allowed in the current policy allow smbd_t cupsd_etc_t:dir { write create add_name };
#!!!! This avc is allowed in the current policy allow smbd_t samba_etc_t:lnk_file read;
and I worry I am not missing some boolean. thx. L.
On 11/09/2016 07:27 PM, lejeczek wrote:
hi everyone
I'm seeing there is some issues when one wants ctdb to control Samba. Do we have booleans or maybe somebody has a complete set of rules?
I see (at least):
#============= ctdbd_t ============== allow ctdbd_t cupsd_etc_t:dir getattr;
#!!!! This avc is allowed in the current policy allow ctdbd_t kernel_t:system module_request; allow ctdbd_t kmsg_device_t:chr_file { write open }; allow ctdbd_t samba_etc_t:lnk_file read; allow ctdbd_t samba_spool_t:dir { getattr search };
#============= samba_net_t ============== allow samba_net_t fusefs_t:file { read getattr open }; allow samba_net_t samba_etc_t:lnk_file read;
#============= smbd_t ==============
#!!!! This avc is allowed in the current policy allow smbd_t cupsd_etc_t:dir { write create add_name };
#!!!! This avc is allowed in the current policy allow smbd_t samba_etc_t:lnk_file read;
and I worry I am not missing some boolean. thx. L.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi,
Could you describe what are you doing, when you catch these AVC? Could you also attach raw AVC msgs? (/var/log/audit/audit.log) What distro and version are you using?
Thanks, Lukas.
On 10/11/16 10:07, Lukas Vrabec wrote:
On 11/09/2016 07:27 PM, lejeczek wrote:
hi everyone
I'm seeing there is some issues when one wants ctdb to control Samba. Do we have booleans or maybe somebody has a complete set of rules?
I see (at least):
#============= ctdbd_t ============== allow ctdbd_t cupsd_etc_t:dir getattr;
#!!!! This avc is allowed in the current policy allow ctdbd_t kernel_t:system module_request; allow ctdbd_t kmsg_device_t:chr_file { write open }; allow ctdbd_t samba_etc_t:lnk_file read; allow ctdbd_t samba_spool_t:dir { getattr search };
#============= samba_net_t ============== allow samba_net_t fusefs_t:file { read getattr open }; allow samba_net_t samba_etc_t:lnk_file read;
#============= smbd_t ==============
#!!!! This avc is allowed in the current policy allow smbd_t cupsd_etc_t:dir { write create add_name };
#!!!! This avc is allowed in the current policy allow smbd_t samba_etc_t:lnk_file read;
and I worry I am not missing some boolean. thx. L.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi,
Could you describe what are you doing, when you catch these AVC? Could you also attach raw AVC msgs? (/var/log/audit/audit.log) What distro and version are you using?
Thanks, Lukas.
hi Lukas maybe I'll describe set of circumstances/settings (or maybe just one setting) that should help you to reproduce this selinux problem? I'll start with - Centos 7.2 + selinux-policy-targeted-3.13.1-60.el7_2.9.noarch and then you want in your /etc/sysconfig/ctdb CTDB_MANAGES_SAMBA=yes which means that ctdb would be managing smb daemons. - you should see ctdb being unable to copy smb.conf (during startup) and then to access cups and maybe some more.
regards L.
On 11/10/2016 11:18 AM, lejeczek wrote:
On 10/11/16 10:07, Lukas Vrabec wrote:
On 11/09/2016 07:27 PM, lejeczek wrote:
hi everyone
I'm seeing there is some issues when one wants ctdb to control Samba. Do we have booleans or maybe somebody has a complete set of rules?
I see (at least):
#============= ctdbd_t ============== allow ctdbd_t cupsd_etc_t:dir getattr;
#!!!! This avc is allowed in the current policy allow ctdbd_t kernel_t:system module_request; allow ctdbd_t kmsg_device_t:chr_file { write open }; allow ctdbd_t samba_etc_t:lnk_file read; allow ctdbd_t samba_spool_t:dir { getattr search };
#============= samba_net_t ============== allow samba_net_t fusefs_t:file { read getattr open }; allow samba_net_t samba_etc_t:lnk_file read;
#============= smbd_t ==============
#!!!! This avc is allowed in the current policy allow smbd_t cupsd_etc_t:dir { write create add_name };
#!!!! This avc is allowed in the current policy allow smbd_t samba_etc_t:lnk_file read;
and I worry I am not missing some boolean. thx. L.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi,
Could you describe what are you doing, when you catch these AVC? Could you also attach raw AVC msgs? (/var/log/audit/audit.log) What distro and version are you using?
Thanks, Lukas.
hi Lukas maybe I'll describe set of circumstances/settings (or maybe just one setting) that should help you to reproduce this selinux problem? I'll start with - Centos 7.2 + selinux-policy-targeted-3.13.1-60.el7_2.9.noarch and then you want in your /etc/sysconfig/ctdb CTDB_MANAGES_SAMBA=yes which means that ctdb would be managing smb daemons. - you should see ctdb being unable to copy smb.conf (during startup) and then to access cups and maybe some more.
Ok it makes sense to have these rules in the distribution policy. Could you open a new Fedora bug for these AVCs?
Thank you.
regards L.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
On 10/11/16 12:47, Miroslav Grepl wrote:
Ok it makes sense to have these rules in the distribution policy. Could you open a new Fedora bug for these AVCs?
I did it here: https://bugzilla.redhat.com/show_bug.cgi?id=1393859
selinux@lists.fedoraproject.org