[Samba] Public shares in FC4 (update)

Louis E Garcia II louisg00 at bellsouth.net
Sun Feb 26 03:30:18 GMT 2006


I spoke to soon. I am able to get samba working with this but not sure
if it's correct.

allow smbd_t default_t:dir search;

Would it be better: allow smbd_t samba_share_t:dir search;

and relabel:
drwxrwsrwx  root     root     system_u:object_r:samba_share_t  public

This seems more secure to me but doesn't work. I still get:

type=AVC msg=audit(1140923608.645:86): avc:  denied  { search } for
pid=3338 comm="smbd" name="/" dev=hda5 ino=2
scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t
tclass=dir
type=SYSCALL msg=audit(1140923608.645:86): arch=40000003 syscall=195
success=no exit=-13 a0=88b85f8 a1=bff9aec4 a2=7fbff4 a3=bff9aec4 items=1
pid=3338 auid=500 uid=502 gid=0 euid=502 suid=0 fsuid=502 egid=100
sgid=100 fsgid=100 comm="smbd" exe="/usr/sbin/smbd"
type=CWD msg=audit(1140923608.645:86):  cwd="/"
type=PATH msg=audit(1140923608.645:86): item=0 name="/data/public"
flags=1  inode=2 dev=03:05 mode=040755 ouid=0 ogid=0 rdev=00:00

why does smbd_t still see system_u:object_t:default_t

-Louis

On Sat, 2006-02-25 at 18:20 -0500, Louis E Garcia II wrote:
> I changed smb_t to smbd_t and not it's working.
> 
> Thanks for your help. --Louis
> 
> On Sat, 2006-02-25 at 18:08 -0500, Louis E Garcia II wrote:
> > Ok, I did what you said but make load gave me errors:
> > 
> > Compiling policy ...
> > /usr/bin/checkpolicy  -o /etc/selinux/targeted/policy/policy.19
> > policy.conf
> > /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> > domains/misc/local.te:6:ERROR 'unknown type smb_t' at token ';' on line
> > 6340:
> > # and a file context (.fc) file in file_context/program.
> > allow smb_t default_t:dir search;
> > /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
> > make: *** [/etc/selinux/targeted/policy/policy.19] Error 1
> > 
> > Guess smb_t doesn't exist. Maybe I should try samba_share_t like the
> > samba_selinux man page says?
> > 
> > -Louis
> > 
> > On Sat, 2006-02-25 at 17:48 -0500, Louis E Garcia II wrote:
> > > I get this for the operation:
> > > 
> > > type=AVC msg=audit(1140906974.651:180): avc:  denied  { search } for
> > > pid=10306 comm="smbd" name="/" dev=hda5 ino=2
> > > scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:default_t
> > > tclass=dir
> > > type=SYSCALL msg=audit(1140906974.651:180): arch=40000003 syscall=195
> > > success=no exit=-13 a0=9ca6208 a1=bfb40c64 a2=343ff4 a3=bfb40c64 items=1
> > > pid=10306 auid=4294967295 uid=502 gid=0 euid=502 suid=0 fsuid=502
> > > egid=100 sgid=100 fsgid=100 comm="smbd" exe="/usr/sbin/smbd"
> > > type=CWD msg=audit(1140906974.651:180):  cwd="/"
> > > type=PATH msg=audit(1140906974.651:180): item=0 name="/data/public"
> > > flags=1  inode=2 dev=03:05 mode=040755 ouid=0 ogid=0 rdev=00:00
> > > 
> > > when I put this though audit2allow i get:
> > > 
> > > allow smb_t default_t:dir search;
> > > 
> > > I will put this in local.te and see what heppens.
> > > 
> > > Some thoughts; 
> > > 
> > > Should I replace dir with /data/public?
> > > 
> > > Do I have to do this every time the selinux-policy-targeted packaged is
> > > updated?
> > > 
> > > -Thanks 
> > > 
> > > 
> > > On Sat, 2006-02-25 at 00:35 -0600, Don Meyer wrote:
> > > > Looks like you have multiple SELinux issues to track down and 
> > > > resolve.  Hard telling whether they all trace back to a single cause though...
> > > > 
> > > > To have a better idea of how the errors trace to operations, open two 
> > > > shells on a console.   In one, "tail -f /var/log/audit/audit.log"  -- 
> > > > this will give you a live display of the logged warnings & 
> > > > errors.  In the other, try some operations -- restart your smb 
> > > > service, and try the operations that are giving your problems.  Watch 
> > > > the other console to see the AVC errors as they happen.
> > > > 
> > > > You can use "tail -f ..." and pipe the output to a /tmp file to 
> > > > capture snippets relevant to specific actions/operations.   These can 
> > > > then be processed through "audit2allow" to find the specific 
> > > > modifications that you'll need to add to your local.te file and then 
> > > > reload your SELinux policy.
> > > > 
> > > > -D
> > > > 
> > > > At 08:32 PM 2/24/2006, Louis E Garcia II wrote:
> > > > >On FC4 it's under /var/log/audit/audit.log. This is the only place I
> > > > >found AVC errors.
> > > > >
> > > > ># audit2allow -i /var/log/audit/audit.log
> > > > >allow auditd_t self:fifo_file write;
> > > > >allow cupsd_config_t proc_net_t:dir search;
> > > > >allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl write };
> > > > >allow hald_t unconfined_t:fifo_file read;
> > > > >allow httpd_t crond_t:fifo_file read;
> > > > >allow nmbd_t unconfined_t:fifo_file write;
> > > > >allow rpcd_t unconfined_t:fifo_file read;
> > > > >allow smbd_t default_t:dir search;
> > > > >allow smbd_t file_t:dir { getattr search };
> > > > >allow smbd_t mnt_t:lnk_file read;
> > > > >allow smbd_t root_t:dir write;
> > > > >allow smbd_t unconfined_t:fifo_file write;
> > > > >allow system_dbusd_t unconfined_t:fifo_file read;
> > > > >
> > > > >I think I'm only worried about smb_t? There are 5 lines there, do I put
> > > > >them all in /etc/selinux/targeted/src/policy/domains/misc/local.te?
> > > > >
> > > > >or I only need some? I see nothing about /data/public access.
> > > > >
> > > > >-Louis
> > > > >
> > > > >On Fri, 2006-02-24 at 16:54 -0600, Don Meyer wrote:
> > > > > > [Caveat:  My systems are mostly RHEL4 based, I don't have a FC4
> > > > > > system handy to verify paths & package names.  But they should be
> > > > > > somewhat close...]
> > > > > >
> > > > > > First, you need to identify what the problem is:  If you cannot find
> > > > > > the AVC errors reported in your syslog, and decifer them to know how
> > > > > > to fix them manually, the easiest method is to run the following
> > > > > > utility command:
> > > > > >
> > > > > >          audit2allow -i /var/log/messages
> > > > > >
> > > > 
> > > > Don Meyer                                           <dlmeyer at uiuc.edu>
> > > > Network Manager, ACES Academic Computing Facility
> > > > Technical System Manager, ACES TeleNet System
> > > > UIUC College of ACES, Information Technology and Communication Services
> > > > 
> > > >    "They that can give up essential liberty to obtain a little 
> > > > temporary safety,
> > > >          deserve neither liberty or safety."     -- Benjamin Franklin, 1759 
> > > > 
> > > 
> > 
> 



More information about the samba mailing list