[Samba] Public shares in FC4 (update)

Don Meyer dlmeyer at uiuc.edu
Sat Feb 25 06:35:28 GMT 2006 

Looks like you have multiple SELinux issues to track down and 
resolve.  Hard telling whether they all trace back to a single cause though...

To have a better idea of how the errors trace to operations, open two 
shells on a console.   In one, "tail -f /var/log/audit/audit.log"  -- 
this will give you a live display of the logged warnings & 
errors.  In the other, try some operations -- restart your smb 
service, and try the operations that are giving your problems.  Watch 
the other console to see the AVC errors as they happen.

You can use "tail -f ..." and pipe the output to a /tmp file to 
capture snippets relevant to specific actions/operations.   These can 
then be processed through "audit2allow" to find the specific 
modifications that you'll need to add to your local.te file and then 
reload your SELinux policy.

-D

At 08:32 PM 2/24/2006, Louis E Garcia II wrote:
>On FC4 it's under /var/log/audit/audit.log. This is the only place I
>found AVC errors.
>
># audit2allow -i /var/log/audit/audit.log
>allow auditd_t self:fifo_file write;
>allow cupsd_config_t proc_net_t:dir search;
>allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl write };
>allow hald_t unconfined_t:fifo_file read;
>allow httpd_t crond_t:fifo_file read;
>allow nmbd_t unconfined_t:fifo_file write;
>allow rpcd_t unconfined_t:fifo_file read;
>allow smbd_t default_t:dir search;
>allow smbd_t file_t:dir { getattr search };
>allow smbd_t mnt_t:lnk_file read;
>allow smbd_t root_t:dir write;
>allow smbd_t unconfined_t:fifo_file write;
>allow system_dbusd_t unconfined_t:fifo_file read;
>
>I think I'm only worried about smb_t? There are 5 lines there, do I put
>them all in /etc/selinux/targeted/src/policy/domains/misc/local.te?
>
>or I only need some? I see nothing about /data/public access.
>
>-Louis
>
>On Fri, 2006-02-24 at 16:54 -0600, Don Meyer wrote:
> > [Caveat:  My systems are mostly RHEL4 based, I don't have a FC4
> > system handy to verify paths & package names.  But they should be
> > somewhat close...]
> >
> > First, you need to identify what the problem is:  If you cannot find
> > the AVC errors reported in your syslog, and decifer them to know how
> > to fix them manually, the easiest method is to run the following
> > utility command:
> >
> >          audit2allow -i /var/log/messages
> >

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759

More information about the samba mailing list