[Samba] SELinux Issue: unix_dgram_socket

Robert Buck robert.buck at som.com
Mon Mar 8 21:15:51 UTC 2021


Ok, thanks. But does this make sense given that we’ve been testing
successfully  for more than eight months and development and staging? With
selinux enabled.

Thoughts?

On Mon, Mar 8, 2021 at 3:32 PM Jeremy Allison <jra at samba.org> wrote:

> On Mon, Mar 08, 2021 at 03:24:23PM -0500, Robert Buck via samba wrote:
> >Hi Folks
> >
> >Just wanted to pass this by you to see if anyone else running on Red
> >Hat Enterprise Linux ran into this SeLinux issue before. The issue is this
> >sort of message in syslog:
> >
> >*Mar  8 16:28:15 use1-samba-server-s01-use1-01 setroubleshoot[3060874]:
> >SELinux is preventing /usr/sbin/winbindd from sendto access on the
> >unix_dgram_socket /var/lib/samba/private/msg.sock/3060870. For complete
> >SELinux messages run: sealert -l a77de726-5087-4302-9cc2-5b663a849ef6*
> >
> >The solution, we think, may be to add this policy. But can someone confirm
> >this, or help me find a better solution?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >*module winbindd_unix_dgram_socket 1.0;require {    type
> >unconfined_service_t;    type winbind_t;    class unix_dgram_socket
> >sendto;}#============= winbind_t ==============allow winbind_t
> >unconfined_service_t:unix_dgram_socket sendto;*
> >
> >But I am a little confused with the *unconfined_service_t* type.
> >
> >Any opinions?
>
> All the Samba daemons use messaging sockets in
> /var/lib/samba/private/msg.sock/
> to communicate, so yes, SELinux is going to have to allow that.
>
> --

BOB BUCK
SENIOR PLATFORM SOFTWARE ENGINEER

SKIDMORE, OWINGS & MERRILL
7 WORLD TRADE CENTER
250 GREENWICH STREET
NEW YORK, NY 10007
T  (212) 298-9624
ROBERT.BUCK at SOM.COM


More information about the samba mailing list