At 05:15 AM 7/14/2006, Alex de Vaal wrote:
> b) The smbd and nmbd services run fine under the standard RHEL4
> selinux-policy-targeted ruleset. However, winbindd rules aren't in
> this set, and will fail if SELinux is enabled/enforcing. If you
> are running winbindd, (which you probably are in ads mode) you can deal
with this problem in a number of ways:
...
> This will load some additional rules that will allow winbindd to run
> without any (significant) AVC errors. This should only need to be done
once.
Running winbindd failed indeed in the first instance on RHEL4 because of
SELinux. In SELinux there is however a "winbind_disable_trans" boolean (in
the file: /etc/selinux/targeted/booleans), which is default 0. If you change
this to 1 and reboot the server, winbind will run smoothly on RHEL4.
Thanks Alex, this is the trick to disabling enforcement for a
particular daemon/subsystem. There are a number of *_disable_trans
boolean variables that essentially disable enforcement for the
corresponding subsystem.
When set to active (1), the boolean flag disables the context
transition from the root state to the specific context. Since the
base/root state has essentially unlimited access under the selinux
targeted policy, the errors aren't generated and the blocks aren't
enforced. Of course, this means the protections are disabled as
well, but just for the winbind subsystem...
Personally, I prefer to have the protections in place and will
continue to augment the rules as necessary. Fortunately, the
additional set of rules I've needed to add have been relatively
stable over the past few builds.
However, the "winbind_disable_trans" method is certainly much
simpler. And would be recommended for those not worried about the
security through the winbind service.
BTW, the command to change this without editing a file is:
setsebool -P winbind_disable_trans 1
Jerry, any thoughts on including this in the RHEL
packaging? Perhaps the following logic flow:
if SELinux is active and enforcing,
if selinux-policy-targeted-sources package is not installed,
if getsebool winbind_disable_trans = 0
then setsebool -P winbind_disable_trans 1
This could alleviate a whole lot of winbind problems for people
installing RHEL-based packages, and as long as it is documented
somewhere, is trivial/easy to undo for someone who wants to modify
their SELinux config later.
This also reminds me that I've been wanting to write up a similar
patch to handle the selinux chcons for the /var/cache/samba/ -->
/var/lib/samba/ transition... ;-)
Cheers,
-D
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
