[Samba] SElinux and Samba

Don Meyer dlmeyer at uiuc.edu
Fri May 5 16:59:31 GMT 2006

At 09:21 AM 5/5/2006, Yvon Dubinsky wrote:
>I found in one of that man pages "man samba_selinux", you can just 
>disable SE for samba.   I am sure there are other ways also but this 
>is what I have found so far.   I tried to just open SE to samba but 
>that has not worked as of yet.   What does work is typing - " 
>setsebool -P smbd_disable_trans 1" - this disables SE for just samba 
>then restart samba with - "service smb restart".  I have not found a 
>way to just pass samba through SE as of yet with out disabling SE 
>for the samba demon.

I'm a little too stubborn for a quick fix like this, so I went the 
route of adding the specific rules needed to allow SMB/Winbindd to 
run without throwing AVC errors.  I'm doing this on RHEL4 boxes, 
which install with SElinux enforcing targeted by default -- this 
allows me to leave SElinux active for its additional protections.

Doing it this way requires a little extra work, though...

First, you need to install the selinux-policy-targeted-sources 
package, if not already installed.

When I build the RPMs from the source tarball, the first upgrade from 
the default RHEL4 packages changes the tdb directory from 
/var/cache/samba/ to /var/lib/samba/.   This is accomplished by 
creating /var/lib/samba/ -- Naturally, this royally mucks up the 
SElinux labelings/permissions.   So, immediately after the first 
upgrade from RHEL4 samba packages, (before starting either smb or 
winbind) I need to do the following:

chcon -Rt samba_var_t /var/lib/samba
mkdir /var/lib/samba/winbindd_privileged/
chcon -t winbind_var_run_t /var/lib/samba/winbindd_privileged/

Then, I drop the following file into the directory 

allow winbind_t etc_runtime_t:file read;
allow winbind_t proc_t:file read;
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t:dir { search getattr };
allow winbind_t var_lib_t:dir search;
allow winbind_t samba_log_t:dir { create setattr };
allow winbind_t unconfined_t:fifo_file read;
allow winbind_t var_lib_t:dir search;

This file is what I currently need to add to the default SElinux 
configuration to get Samba 3.0.23pre1 to work.  What is needed seems 
to change with each new version of Samba...  (The default SElinux 
ruleset for 3.0.10-1.3E.6 can be found in 

Finally, after this "extra" policy file is in place, you should chdir 
to "/etc/selinux/targeted/src/policy/", and run the following command:

         make load

After this, you should be able to start/restart the smb & winbind 
services without complaints.

Now, some might ask "How do you derive these additional rules?"

On a clean install, I install the packages, make the necessary mods, 
and then set SElinux to non-enforcing:

         setenforce 0

I then start "tail -f /var/log/messages > /tmp/samba_avc.log" in a 
separate console.

Next, I start the smb & winbind services and get the running 
properly.   Running in non-enforcing mode allows all the error 
messages to be generated in the logs, but the operations are allowed 
to complete successfully.   Once the services are running, I do a 
couple user queries to prime the winbind system and have it sync with 
the AD, etc.  I then terminate the tail in the other console, and run 
the following command:

         audit2allow -i /tmp/samba_avc.log

This outputs (to stdout) the additional rules necessary to allow all 
of the operations that generated AVC error messages in the log 
excerpt.   This should be what is necessary to get everything running 
-- I copy these rules into the file I call winbind_add.te in 
"/etc/selinux/targeted/src/domains/misc/", and run the "make load" 
command to force the system to reload the SElinux rules.

Finally, I can shut down the smb & winbind services, run "setenforce 
1" to re-enable SElinux enforcing mode, and then restart smb & 
winbind.   If all goes well, this should not generate any AVC errors...

Hope this helps someone...

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 

More information about the samba mailing list