Re: [Samba] SELinux Samba Exception on EL6
In RHEL 6, disable_trans booleans were replaced by permissive domains. I'd suggest that you take a look at page 60 of the RHEL Security-Enhanced Linux documentation for more information. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf Andrew Philipoff Infrastructure Manager UCSF Department of Medicine - IT Services 415-476-1344 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Prashanth Sundaram Sent: Tuesday, February 21, 2012 12:52 PM To: samba@lists.samba.org Subject: [Samba] SELinux Samba Exception on EL6 We are planning to migrate to EL6 and came across this issue that I am trying to get around. Current system spec: Samba-3.5.10 Selinux-policy-3.7.19 Policycoreutils-2.0.83 Autofs-5.0.5 In EL5 we disabled selinux for samba using 'smbd_disable_trans' directive and the shares work fine. On RHEL6 I couldn't find this Boolean. Is there an alternate directive that accomplishes same? The mounts that I want to share using samba have autofs_t context and I don't want to change it. Any recommendations? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SELinux and samba/winbind w/ADS on RHEL 4.6
Hi, I am not seeing this issue on RHEL4 update 6. but i am using samba-3.0.25b-1.el4_6.5 samba-common-3.0.25b-1.el4_6.5.i386 samba-client-3.0.25b-1.el4_6.5.i386 My sestatus is having as below snip [EMAIL PROTECTED] ~]# sestatus SELinux status: enabled SELinuxfs mount:/selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_syslog_to_console inactive allow_ypbindinactive dhcpd_disable_trans inactive httpd_builtin_scripting active httpd_disable_trans inactive httpd_enable_cgiactive httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_transinactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive pegasus_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslognginactive winbind_disable_trans inactive ypbind_disable_transinactive /snip When i joined the system to AD and restarted winbind, it did not give any selinux errors on /var/log/message, or console or /var/log/audit/audit.log snip [EMAIL PROTECTED] ~]# service winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] /snip So can you paste your selinux messages, that you are getting, and the samba version. Or if you feel you can do the following , without making selinux to permissive or disabling it. #getsebool -P winbind_disable_trans = 1 Regards Niranjan On Tue, Jun 3, 2008 at 11:26 PM, Thomas Leavitt [EMAIL PROTECTED] wrote: SELinux appears to be interfering with winbind's functionality. I have the lastest policy package installed: selinux-policy-targeted-1.17.30-2.149 which allegedly solves this problem according to the RedHat knowledge base, but clearly does not. I have to turn off SELinux by using setenforce 0 (permissive) to get winbind to work at all, and based on what I see in the log files, disabling it completely is necessary to prevent all interference. Am I missing something? Are other folks having this problem? Regards, Thomas Leavitt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SELinux and samba/winbind w/ADS on RHEL 4.6
oops In my previous post i made a typo #getsebool -P winbind_disable_trans = 1 it should be #setsebool -P winbind_disable_trans = 1 On Wed, Jun 4, 2008 at 10:25 AM, mallapadi niranjan [EMAIL PROTECTED] wrote: Hi, I am not seeing this issue on RHEL4 update 6. but i am using samba-3.0.25b-1.el4_6.5 samba-common-3.0.25b-1.el4_6.5.i386 samba-client-3.0.25b-1.el4_6.5.i386 My sestatus is having as below snip [EMAIL PROTECTED] ~]# sestatus SELinux status: enabled SELinuxfs mount:/selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_syslog_to_console inactive allow_ypbindinactive dhcpd_disable_trans inactive httpd_builtin_scripting active httpd_disable_trans inactive httpd_enable_cgiactive httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_transinactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive pegasus_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslognginactive winbind_disable_trans inactive ypbind_disable_transinactive /snip When i joined the system to AD and restarted winbind, it did not give any selinux errors on /var/log/message, or console or /var/log/audit/audit.log snip [EMAIL PROTECTED] ~]# service winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] /snip So can you paste your selinux messages, that you are getting, and the samba version. Or if you feel you can do the following , without making selinux to permissive or disabling it. #getsebool -P winbind_disable_trans = 1 Regards Niranjan On Tue, Jun 3, 2008 at 11:26 PM, Thomas Leavitt [EMAIL PROTECTED] wrote: SELinux appears to be interfering with winbind's functionality. I have the lastest policy package installed: selinux-policy-targeted-1.17.30-2.149 which allegedly solves this problem according to the RedHat knowledge base, but clearly does not. I have to turn off SELinux by using setenforce 0 (permissive) to get winbind to work at all, and based on what I see in the log files, disabling it completely is necessary to prevent all interference. Am I missing something? Are other folks having this problem? Regards, Thomas Leavitt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SELinux
From: Matt Herzog [EMAIL PROTECTED] I have been struggling with getting my Fedora Linux clients to be able to authenticate to a Microsoft AD in the past week and wonder how much of the problem was due to SELinux. My Debian machines can accept AD logins and even create home directories and dot files from /etc/skel. I know FC5 does PAM differently than Debian, but I'm wondering, does anyone on this list have winbind logins to FC5 or FC4 working? Even with SELinux disabled I'm starting to wonder if it's possible. Please see my post on 09/06, reposted also on 09/08. It was working for me with 3.0.14a and stopped working with 3.0.23a; can you specify your version and send some debugging output to see if our problems are similar? BTW, I have SELinux disabled. Elio -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SElinux and Samba
Thanks man. That did the trick and I am happy. Yvon Dubinsky [EMAIL PROTECTED] wrote: Ok, so there is not a problem with SElinux and Samba. But it is a pain to set up so it will work right. I finally figured out how to set up SE and Samba so you can be able to write and delete files. I found in one of that man pages man samba_selinux, you can just disable SE for samba. I am sure there are other ways also but this is what I have found so far. I tried to just open SE to samba but that has not worked as of yet. What does work is typing - setsebool -P smbd_disable_trans 1 - this disables SE for just samba then restart samba with - service smb restart. I have not found a way to just pass samba through SE as of yet with out disabling SE for the samba demon. - yvon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Jayesh Kamdar [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SElinux and Samba
At 09:21 AM 5/5/2006, Yvon Dubinsky wrote: I found in one of that man pages man samba_selinux, you can just disable SE for samba. I am sure there are other ways also but this is what I have found so far. I tried to just open SE to samba but that has not worked as of yet. What does work is typing - setsebool -P smbd_disable_trans 1 - this disables SE for just samba then restart samba with - service smb restart. I have not found a way to just pass samba through SE as of yet with out disabling SE for the samba demon. I'm a little too stubborn for a quick fix like this, so I went the route of adding the specific rules needed to allow SMB/Winbindd to run without throwing AVC errors. I'm doing this on RHEL4 boxes, which install with SElinux enforcing targeted by default -- this allows me to leave SElinux active for its additional protections. Doing it this way requires a little extra work, though... First, you need to install the selinux-policy-targeted-sources package, if not already installed. When I build the RPMs from the source tarball, the first upgrade from the default RHEL4 packages changes the tdb directory from /var/cache/samba/ to /var/lib/samba/. This is accomplished by creating /var/lib/samba/ -- Naturally, this royally mucks up the SElinux labelings/permissions. So, immediately after the first upgrade from RHEL4 samba packages, (before starting either smb or winbind) I need to do the following: chcon -Rt samba_var_t /var/lib/samba mkdir /var/lib/samba/winbindd_privileged/ chcon -t winbind_var_run_t /var/lib/samba/winbindd_privileged/ Then, I drop the following file into the directory /etc/selinux/targeted/src/policy/domains/misc/: winbind_add.te: -- allow winbind_t etc_runtime_t:file read; allow winbind_t proc_t:file read; allow winbind_t etc_t:file write; allow winbind_t samba_etc_t:file write; allow winbind_t initrc_t:process { signal signull }; allow winbind_t initrc_var_run_t:file { lock read }; allow winbind_t var_lib_t:dir { search getattr }; allow winbind_t var_lib_t:dir search; allow winbind_t samba_log_t:dir { create setattr }; allow winbind_t unconfined_t:fifo_file read; allow winbind_t var_lib_t:dir search; -- This file is what I currently need to add to the default SElinux configuration to get Samba 3.0.23pre1 to work. What is needed seems to change with each new version of Samba... (The default SElinux ruleset for 3.0.10-1.3E.6 can be found in /etc/selinux/targeted/src/policy/domains/program/winbind.te.) Finally, after this extra policy file is in place, you should chdir to /etc/selinux/targeted/src/policy/, and run the following command: make load After this, you should be able to start/restart the smb winbind services without complaints. Now, some might ask How do you derive these additional rules? On a clean install, I install the packages, make the necessary mods, and then set SElinux to non-enforcing: setenforce 0 I then start tail -f /var/log/messages /tmp/samba_avc.log in a separate console. Next, I start the smb winbind services and get the running properly. Running in non-enforcing mode allows all the error messages to be generated in the logs, but the operations are allowed to complete successfully. Once the services are running, I do a couple user queries to prime the winbind system and have it sync with the AD, etc. I then terminate the tail in the other console, and run the following command: audit2allow -i /tmp/samba_avc.log This outputs (to stdout) the additional rules necessary to allow all of the operations that generated AVC error messages in the log excerpt. This should be what is necessary to get everything running -- I copy these rules into the file I call winbind_add.te in /etc/selinux/targeted/src/domains/misc/, and run the make load command to force the system to reload the SElinux rules. Finally, I can shut down the smb winbind services, run setenforce 1 to re-enable SElinux enforcing mode, and then restart smb winbind. If all goes well, this should not generate any AVC errors... Hope this helps someone... -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba