[Samba] SELinux Issue: unix_dgram_socket

Robert Marcano robert at marcanoonline.com
Tue Mar 9 14:33:56 UTC 2021


On 3/8/21 5:15 PM, Robert Buck via samba wrote:
> Ok, thanks. But does this make sense given that we’ve been testing
> successfully  for more than eight months and development and staging? With
> selinux enabled.

Unless you have changed some files contexts manually (chcon) you should 
try doing an autorelabel of the entire filesystem, the easiest way is to 
do 'touch /.autorelabel' and reboot 
https://wiki.centos.org/HowTos/SELinux#Relabel_Complete_Filesystem.

You can do the autorelabel too if you remember your chcon 
customizations. If you have done it I recommend you use semanage 
https://wiki.centos.org/HowTos/SELinux#Relabeling_Files.

You can use restorecon too: 
https://wiki.centos.org/HowTos/SELinux#Restore_Default_Security_Contexts

If you are using the RHEL provided Samba packages and their provided 
policy, after relabeling just to discard something wrong in your 
labeling, I recommend you report it as a bug to Red Hat, because the 
policy and their provided package should work fine.

You problem could be some lingering socket file or directory inside 
/var/lib/samba that could have the wrong context (maybe it was run for a 
time without SELinux disabled, or ran a test with another Samba compiled 
outside PREFIX=/usr and that generated files without the proper context. 
Relabeling should fix that if that is the problem.

> 
> Thoughts?
> 
> On Mon, Mar 8, 2021 at 3:32 PM Jeremy Allison <jra at samba.org> wrote:
> 
>> On Mon, Mar 08, 2021 at 03:24:23PM -0500, Robert Buck via samba wrote:
>>> Hi Folks
>>>
>>> Just wanted to pass this by you to see if anyone else running on Red
>>> Hat Enterprise Linux ran into this SeLinux issue before. The issue is this
>>> sort of message in syslog:
>>>
>>> *Mar  8 16:28:15 use1-samba-server-s01-use1-01 setroubleshoot[3060874]:
>>> SELinux is preventing /usr/sbin/winbindd from sendto access on the
>>> unix_dgram_socket /var/lib/samba/private/msg.sock/3060870. For complete
>>> SELinux messages run: sealert -l a77de726-5087-4302-9cc2-5b663a849ef6*
>>>
>>> The solution, we think, may be to add this policy. But can someone confirm
>>> this, or help me find a better solution?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *module winbindd_unix_dgram_socket 1.0;require {    type
>>> unconfined_service_t;    type winbind_t;    class unix_dgram_socket
>>> sendto;}#============= winbind_t ==============allow winbind_t
>>> unconfined_service_t:unix_dgram_socket sendto;*
>>>
>>> But I am a little confused with the *unconfined_service_t* type.
>>>
>>> Any opinions?
>>
>> All the Samba daemons use messaging sockets in
>> /var/lib/samba/private/msg.sock/
>> to communicate, so yes, SELinux is going to have to allow that.
>>
>> --
> 
> BOB BUCK
> SENIOR PLATFORM SOFTWARE ENGINEER
> 
> SKIDMORE, OWINGS & MERRILL
> 7 WORLD TRADE CENTER
> 250 GREENWICH STREET
> NEW YORK, NY 10007
> T  (212) 298-9624
> ROBERT.BUCK at SOM.COM
> 




More information about the samba mailing list