[Samba] SELinux & samba-dcerpcd
E R
fasteddieinaustin at gmail.com
Tue Jun 11 23:24:04 UTC 2024
I am working towards getting SELinux implemented on a web server that
also runs Samba thanks to Thomas Cameron's excellent video
https://www.youtube.com/watch?v=_WOKRaM-HI4. I set the SELinux label
on the web site folder (which is also the shared folder in Samba) to
public_content_rw_t and set the bool smbd_anon_write to 1 so that
Apache and Samba can hopefully coexist and Samba has write permission.
But periodically RHEL reports:
"SELinux is preventing samba-dcerpcd from ioctl access on the
directory /export/home/xxx/htdocs" (this is the web site folder and
shared folder)
Does anyone have insight (other than the man page) into what this
process may be trying to do before I follow the suggestion of using
the audit2allow tool to create a module to address? (I did flip the
system over to enforcing mode to try to see if things would be broken
but so far everything is working.) I also found a bug listed in
https://bugzilla.redhat.com/show_bug.cgi?id=2150680 for RHEL 9 (same
version that RHEL 8 has) where a similar issue was resolved in RHEL
9.2 that seems to point to this being an SELinux issue. I do not see
any references to samba-dcerpcd in the release notes since Samba
4.19.4 indicating there are any issues with this program that I may be
missing by running an older release.
RHEL 8.8
Samba version 4.19.4 (output from smbstatus but not sure if this
matches the real Samba release or not with RHEL's naming conventions)
Package Version: 4.19.4, Release 3.el8 (output from yum info)
Additional Information:
Source Context system_u:system_r:winbind_rpcd_t:s0
Target Context unconfined_u:object_r:public_content_rw_t:s0
Target Objects /export/home/xxx/htdocs [ dir ]
Source samba-dcerpcd
Source Path samba-dcerpcd
Port <Unknown>
Host rhel8
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-117.el8_8.4.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-117.el8_8.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rhel8
Platform Linux rhel8 4.18.0-477.55.1.el8_8.x86_64 #1
SMP Thu Apr 4 09:26:55 EDT 2024 x86_64 x86_64
Alert Count 2
First Seen 2024-06-11 15:26:15 CDT
Last Seen 2024-06-11 17:31:34 CDT
Local ID 125fa088-9777-4032-895b-b81edc31bec0
Raw Audit Messages
type=AVC msg=audit(1718145094.662:141): avc: denied { ioctl } for
pid=2601 comm="samba-dcerpcd" path="/export/home/xxx/htdocs"
dev="dm-6" ino=268435584 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=unconfined_u:object_r:public_content_rw_t:s0 tclass=dir
permissive=0
Hash: samba-dcerpcd,winbind_rpcd_t,public_content_rw_t,dir,ioctl
More information about the samba
mailing list