[Samba] SELinux Issue: unix_dgram_socket
Jeremy Allison
jra at samba.org
Mon Mar 8 20:32:01 UTC 2021
On Mon, Mar 08, 2021 at 03:24:23PM -0500, Robert Buck via samba wrote:
>Hi Folks
>
>Just wanted to pass this by you to see if anyone else running on Red
>Hat Enterprise Linux ran into this SeLinux issue before. The issue is this
>sort of message in syslog:
>
>*Mar 8 16:28:15 use1-samba-server-s01-use1-01 setroubleshoot[3060874]:
>SELinux is preventing /usr/sbin/winbindd from sendto access on the
>unix_dgram_socket /var/lib/samba/private/msg.sock/3060870. For complete
>SELinux messages run: sealert -l a77de726-5087-4302-9cc2-5b663a849ef6*
>
>The solution, we think, may be to add this policy. But can someone confirm
>this, or help me find a better solution?
>
>
>
>
>
>
>
>
>
>
>*module winbindd_unix_dgram_socket 1.0;require { type
>unconfined_service_t; type winbind_t; class unix_dgram_socket
>sendto;}#============= winbind_t ==============allow winbind_t
>unconfined_service_t:unix_dgram_socket sendto;*
>
>But I am a little confused with the *unconfined_service_t* type.
>
>Any opinions?
All the Samba daemons use messaging sockets in /var/lib/samba/private/msg.sock/
to communicate, so yes, SELinux is going to have to allow that.
More information about the samba
mailing list