[Samba] Public shares in FC4 (update)
Louis E Garcia II
louisg00 at bellsouth.net
Sat Feb 25 22:48:13 GMT 2006
I get this for the operation:
type=AVC msg=audit(1140906974.651:180): avc: denied { search } for
pid=10306 comm="smbd" name="/" dev=hda5 ino=2
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:default_t
tclass=dir
type=SYSCALL msg=audit(1140906974.651:180): arch=40000003 syscall=195
success=no exit=-13 a0=9ca6208 a1=bfb40c64 a2=343ff4 a3=bfb40c64 items=1
pid=10306 auid=4294967295 uid=502 gid=0 euid=502 suid=0 fsuid=502
egid=100 sgid=100 fsgid=100 comm="smbd" exe="/usr/sbin/smbd"
type=CWD msg=audit(1140906974.651:180): cwd="/"
type=PATH msg=audit(1140906974.651:180): item=0 name="/data/public"
flags=1 inode=2 dev=03:05 mode=040755 ouid=0 ogid=0 rdev=00:00
when I put this though audit2allow i get:
allow smb_t default_t:dir search;
I will put this in local.te and see what heppens.
Some thoughts;
Should I replace dir with /data/public?
Do I have to do this every time the selinux-policy-targeted packaged is
updated?
-Thanks
On Sat, 2006-02-25 at 00:35 -0600, Don Meyer wrote:
> Looks like you have multiple SELinux issues to track down and
> resolve. Hard telling whether they all trace back to a single cause though...
>
> To have a better idea of how the errors trace to operations, open two
> shells on a console. In one, "tail -f /var/log/audit/audit.log" --
> this will give you a live display of the logged warnings &
> errors. In the other, try some operations -- restart your smb
> service, and try the operations that are giving your problems. Watch
> the other console to see the AVC errors as they happen.
>
> You can use "tail -f ..." and pipe the output to a /tmp file to
> capture snippets relevant to specific actions/operations. These can
> then be processed through "audit2allow" to find the specific
> modifications that you'll need to add to your local.te file and then
> reload your SELinux policy.
>
> -D
>
> At 08:32 PM 2/24/2006, Louis E Garcia II wrote:
> >On FC4 it's under /var/log/audit/audit.log. This is the only place I
> >found AVC errors.
> >
> ># audit2allow -i /var/log/audit/audit.log
> >allow auditd_t self:fifo_file write;
> >allow cupsd_config_t proc_net_t:dir search;
> >allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl write };
> >allow hald_t unconfined_t:fifo_file read;
> >allow httpd_t crond_t:fifo_file read;
> >allow nmbd_t unconfined_t:fifo_file write;
> >allow rpcd_t unconfined_t:fifo_file read;
> >allow smbd_t default_t:dir search;
> >allow smbd_t file_t:dir { getattr search };
> >allow smbd_t mnt_t:lnk_file read;
> >allow smbd_t root_t:dir write;
> >allow smbd_t unconfined_t:fifo_file write;
> >allow system_dbusd_t unconfined_t:fifo_file read;
> >
> >I think I'm only worried about smb_t? There are 5 lines there, do I put
> >them all in /etc/selinux/targeted/src/policy/domains/misc/local.te?
> >
> >or I only need some? I see nothing about /data/public access.
> >
> >-Louis
> >
> >On Fri, 2006-02-24 at 16:54 -0600, Don Meyer wrote:
> > > [Caveat: My systems are mostly RHEL4 based, I don't have a FC4
> > > system handy to verify paths & package names. But they should be
> > > somewhat close...]
> > >
> > > First, you need to identify what the problem is: If you cannot find
> > > the AVC errors reported in your syslog, and decifer them to know how
> > > to fix them manually, the easiest method is to run the following
> > > utility command:
> > >
> > > audit2allow -i /var/log/messages
> > >
>
> Don Meyer <dlmeyer at uiuc.edu>
> Network Manager, ACES Academic Computing Facility
> Technical System Manager, ACES TeleNet System
> UIUC College of ACES, Information Technology and Communication Services
>
> "They that can give up essential liberty to obtain a little
> temporary safety,
> deserve neither liberty or safety." -- Benjamin Franklin, 1759
>
More information about the samba
mailing list