On Sun, 2009-02-22 at 11:38 +0100, Per Sjoholm wrote:
On CentOS 5.2 The server is answering on different netbios names. SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t) in smb.conf the include files is in 2 halves. One for global config and one for shares/aliases I have include = /etc/samba/smb.%L.alias to get differnt shares/alias depending netbios name the alias contains [name] ... [name2] ...
I link asen20 to ASEN20 to allow netbios name # ls -Z /etc/samba/smb* -r--r--r-- root root root:object_r:samba_etc_t /etc/samba/smb.asen20.alias lrwxrwxrwx root root root:object_r:samba_etc_t /etc/samba/smb.ASEN20.alias -> smb.asen20.alias
/var/log/message Feb 22 11:18:29 dox nmbd[4689]: become_domain_master_browser_bcast: querying subnet 192.168.1.6 for domain master browser on workgroup OASEN Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote clients. For complete SELinux messages. run sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76 Feb 22 11:18:31 dox last message repeated 2 times Feb 22 11:18:31 dox setroubleshoot: SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t). For complete SELinux messages. run sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
setting setsebool -P samba_export_all_ro=1 as advised in sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76 does not help
# sealert -l 55450fa9-b52d-4224-ad52-58b0b9fc4b76
Summary:
SELinux is preventing the samba daemon from serving r/o local files to remote clients.
Detailed Description:
SELinux has preventing the samba daemon (smbd) from reading files on the local system. If you have not exported these file systems, this could signals an intrusion.
Allowing Access:
If you want to export file systems using samba you need to turn on the samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
The following command will allow this access:
setsebool -P samba_export_all_ro=1
Additional Information:
Source Context root:system_r:smbd_t Target Context root:object_r:samba_etc_t Target Objects smb.ASEN20.alias [ lnk_file ] Source smbd Source Path /usr/sbin/smbd Port <Unknown> Host dox.oasen.dyndns.org Source RPM Packages samba-3.0.28-1.el5_2.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name samba_export_all_ro Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 6 First Seen Sun Feb 22 11:01:48 2009 Last Seen Sun Feb 22 11:18:29 2009 Local ID 55450fa9-b52d-4224-ad52-58b0b9fc4b76 Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.562:32001): avc: denied { read } for pid=4685 comm="smbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_etc_t:s0 tclass=lnk_file
try this:
echo "type=AVC msg=audit(1235297909.562:32001): avc: denied { read } for pid=4685 comm="smbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:samba_etc_t:s0 tclass=lnk_file" | audit2allow -M mysmbd; sudo /usr/sbin/semodule -i mysmbd.pp
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.562:32001): arch=c000003e syscall=4 success=no exit=-13 a0=7fffa6dcac10 a1=7fffa6dcab60 a2=7fffa6dcab60 a3=2b560ee731f0 items=0 ppid=4684 pid=4685 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)
# sealert -l 350c8d95-e127-4a23-b2a1-455771106aeb
Summary:
SELinux is preventing nmbd (nmbd_t) "read" to smb.ASEN20.alias (samba_etc_t).
Detailed Description:
SELinux denied access requested by nmbd. It is not expected that this access is required by nmbd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for smb.ASEN20.alias,
restorecon -v 'smb.ASEN20.alias'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:nmbd_t Target Context root:object_r:samba_etc_t Target Objects smb.ASEN20.alias [ lnk_file ] Source nmbd Source Path /usr/sbin/nmbd Port <Unknown> Host dox.oasen.dyndns.org Source RPM Packages samba-3.0.28-1.el5_2.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name dox.oasen.dyndns.org Platform Linux dox.oasen.dyndns.org 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 Alert Count 6 First Seen Sun Feb 22 11:01:48 2009 Last Seen Sun Feb 22 11:18:29 2009 Local ID 350c8d95-e127-4a23-b2a1-455771106aeb Line Numbers
Raw Audit Messages
host=dox.oasen.dyndns.org type=AVC msg=audit(1235297909.628:32004): avc: denied { read } for pid=4688 comm="nmbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:nmbd_t:s0 tcontext=root:object_r:samba_etc_t:s0 tclass=lnk_file
And this:
echo "type=AVC msg=audit(1235297909.628:32004): avc: denied { read } for pid=4688 comm="nmbd" name="smb.ASEN20.alias" dev=sdc3 ino=2247782 scontext=root:system_r:nmbd_t:s0 tcontext=root:object_r:samba_etc_t:s0 tclass=lnk_file" | audit2allow -M mynmbd; sudo /usr/sbin/semodule -i mynmbd.pp
(mind the line breaks)
host=dox.oasen.dyndns.org type=SYSCALL msg=audit(1235297909.628:32004): arch=c000003e syscall=4 success=no exit=-13 a0=7fffca8af300 a1=7fffca8af250 a2=7fffca8af250 a3=0 items=0 ppid=4687 pid=4688 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5386 comm="nmbd" exe="/usr/sbin/nmbd" subj=root:system_r:nmbd_t:s0 key=(null)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list