[Samba] Public shares in FC4 (update)
Don Meyer
dlmeyer at uiuc.edu
Sat Feb 25 06:35:28 GMT 2006
Looks like you have multiple SELinux issues to track down and
resolve. Hard telling whether they all trace back to a single cause though...
To have a better idea of how the errors trace to operations, open two
shells on a console. In one, "tail -f /var/log/audit/audit.log" --
this will give you a live display of the logged warnings &
errors. In the other, try some operations -- restart your smb
service, and try the operations that are giving your problems. Watch
the other console to see the AVC errors as they happen.
You can use "tail -f ..." and pipe the output to a /tmp file to
capture snippets relevant to specific actions/operations. These can
then be processed through "audit2allow" to find the specific
modifications that you'll need to add to your local.te file and then
reload your SELinux policy.
-D
At 08:32 PM 2/24/2006, Louis E Garcia II wrote:
>On FC4 it's under /var/log/audit/audit.log. This is the only place I
>found AVC errors.
>
># audit2allow -i /var/log/audit/audit.log
>allow auditd_t self:fifo_file write;
>allow cupsd_config_t proc_net_t:dir search;
>allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl write };
>allow hald_t unconfined_t:fifo_file read;
>allow httpd_t crond_t:fifo_file read;
>allow nmbd_t unconfined_t:fifo_file write;
>allow rpcd_t unconfined_t:fifo_file read;
>allow smbd_t default_t:dir search;
>allow smbd_t file_t:dir { getattr search };
>allow smbd_t mnt_t:lnk_file read;
>allow smbd_t root_t:dir write;
>allow smbd_t unconfined_t:fifo_file write;
>allow system_dbusd_t unconfined_t:fifo_file read;
>
>I think I'm only worried about smb_t? There are 5 lines there, do I put
>them all in /etc/selinux/targeted/src/policy/domains/misc/local.te?
>
>or I only need some? I see nothing about /data/public access.
>
>-Louis
>
>On Fri, 2006-02-24 at 16:54 -0600, Don Meyer wrote:
> > [Caveat: My systems are mostly RHEL4 based, I don't have a FC4
> > system handy to verify paths & package names. But they should be
> > somewhat close...]
> >
> > First, you need to identify what the problem is: If you cannot find
> > the AVC errors reported in your syslog, and decifer them to know how
> > to fix them manually, the easiest method is to run the following
> > utility command:
> >
> > audit2allow -i /var/log/messages
> >
Don Meyer <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
More information about the samba
mailing list