[Samba] SELinux Issue: unix_dgram_socket
Robert Buck
robert.buck at som.com
Mon Mar 8 21:15:51 UTC 2021
Ok, thanks. But does this make sense given that we’ve been testing
successfully for more than eight months and development and staging? With
selinux enabled.
Thoughts?
On Mon, Mar 8, 2021 at 3:32 PM Jeremy Allison <jra at samba.org> wrote:
> On Mon, Mar 08, 2021 at 03:24:23PM -0500, Robert Buck via samba wrote:
> >Hi Folks
> >
> >Just wanted to pass this by you to see if anyone else running on Red
> >Hat Enterprise Linux ran into this SeLinux issue before. The issue is this
> >sort of message in syslog:
> >
> >*Mar 8 16:28:15 use1-samba-server-s01-use1-01 setroubleshoot[3060874]:
> >SELinux is preventing /usr/sbin/winbindd from sendto access on the
> >unix_dgram_socket /var/lib/samba/private/msg.sock/3060870. For complete
> >SELinux messages run: sealert -l a77de726-5087-4302-9cc2-5b663a849ef6*
> >
> >The solution, we think, may be to add this policy. But can someone confirm
> >this, or help me find a better solution?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >*module winbindd_unix_dgram_socket 1.0;require { type
> >unconfined_service_t; type winbind_t; class unix_dgram_socket
> >sendto;}#============= winbind_t ==============allow winbind_t
> >unconfined_service_t:unix_dgram_socket sendto;*
> >
> >But I am a little confused with the *unconfined_service_t* type.
> >
> >Any opinions?
>
> All the Samba daemons use messaging sockets in
> /var/lib/samba/private/msg.sock/
> to communicate, so yes, SELinux is going to have to allow that.
>
> --
BOB BUCK
SENIOR PLATFORM SOFTWARE ENGINEER
SKIDMORE, OWINGS & MERRILL
7 WORLD TRADE CENTER
250 GREENWICH STREET
NEW YORK, NY 10007
T (212) 298-9624
ROBERT.BUCK at SOM.COM
More information about the samba
mailing list