[Samba] Fedora packages or Enterprise packages of Samba on RHEL4?

Don Meyer dlmeyer at uiuc.edu
Fri Jul 14 15:50:51 GMT 2006 

At 05:15 AM 7/14/2006, Alex de Vaal wrote:
> > b) The smbd and nmbd services run fine under the standard RHEL4
> > selinux-policy-targeted ruleset.   However, winbindd rules aren't in
> > this set, and will fail if SELinux is enabled/enforcing.    If you
> > are running winbindd, (which you probably are in ads mode) you can deal
>with this problem in a number of ways:
>...
> > This will load some additional rules that will allow winbindd to run
> > without any (significant) AVC errors.   This should only need to be done
>once.
>
>Running winbindd failed indeed in the first instance on RHEL4 because of
>SELinux. In SELinux there is however a "winbind_disable_trans" boolean (in
>the file: /etc/selinux/targeted/booleans), which is default 0. If you change
>this to 1 and reboot the server, winbind will run smoothly on RHEL4.


Thanks Alex, this is the trick to disabling enforcement for a 
particular daemon/subsystem.   There are a number of *_disable_trans 
boolean variables that essentially disable enforcement for the 
corresponding subsystem.

When set to active (1), the boolean flag disables the context 
transition from the root state to the specific context.   Since the 
base/root state has essentially unlimited access under the selinux 
targeted policy, the errors aren't generated and the blocks aren't 
enforced.    Of course, this means the protections are disabled as 
well, but just for the winbind subsystem...

Personally, I prefer to have the protections in place and will 
continue to augment the rules as necessary.   Fortunately, the 
additional set of rules I've needed to add have been relatively 
stable over the past few builds.

However, the "winbind_disable_trans" method is certainly much 
simpler.   And would be recommended for those not worried about the 
security through the winbind service.

BTW, the command to change this without editing a file is:

         setsebool -P winbind_disable_trans 1


Jerry, any thoughts on including this in the RHEL 
packaging?   Perhaps the following logic flow:

if SELinux is active and enforcing,
         if selinux-policy-targeted-sources package is not installed,
                 if getsebool winbind_disable_trans = 0
                         then setsebool -P winbind_disable_trans 1

This could alleviate a whole lot of winbind problems for people 
installing RHEL-based packages, and as long as it is documented 
somewhere, is trivial/easy to undo for someone who wants to modify 
their SELinux config later.

This also reminds me that I've been wanting to write up a similar 
patch to handle the selinux chcons for the /var/cache/samba/ --> 
/var/lib/samba/ transition... ;-)


Cheers,
-D

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759

More information about the samba mailing list