Re: [Samba] SELinux Samba Exception on EL6

[Philipoff, Andrew]

In RHEL 6, disable_trans booleans were replaced by permissive domains. I'd 
suggest that you take a look at page 60 of the RHEL Security-Enhanced Linux 
documentation for more information.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf

Andrew Philipoff
Infrastructure Manager
UCSF Department of Medicine - IT Services
415-476-1344


-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Prashanth Sundaram
Sent: Tuesday, February 21, 2012 12:52 PM
To: samba@lists.samba.org
Subject: [Samba] SELinux Samba Exception on EL6

We are planning to migrate to EL6 and came across this issue that I am trying 
to get around.

 

Current system spec:

Samba-3.5.10

Selinux-policy-3.7.19

Policycoreutils-2.0.83

Autofs-5.0.5

 

In EL5 we disabled selinux for samba using 'smbd_disable_trans'
directive and the shares work fine. On RHEL6 I couldn't find this Boolean. Is 
there an alternate directive that accomplishes same?

 

The mounts that I want to share using samba have autofs_t context and I don't 
want to change it. Any recommendations?

 

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SELinux and samba/winbind w/ADS on RHEL 4.6

[mallapadi niranjan]

Hi,

I am not seeing this issue on RHEL4 update 6. but i am using

samba-3.0.25b-1.el4_6.5
samba-common-3.0.25b-1.el4_6.5.i386
samba-client-3.0.25b-1.el4_6.5.i386

My sestatus is having as below

snip
[EMAIL PROTECTED] ~]# sestatus
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode:   enforcing
Mode from config file:  enforcing
Policy version: 18
Policy from config file:targeted

Policy booleans:
allow_syslog_to_console inactive
allow_ypbindinactive
dhcpd_disable_trans inactive
httpd_builtin_scripting active
httpd_disable_trans inactive
httpd_enable_cgiactive
httpd_enable_homedirs   active
httpd_ssi_exec  active
httpd_tty_comm  inactive
httpd_unified   active
mysqld_disable_transinactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans  inactive
ntpd_disable_trans  inactive
pegasus_disable_trans   inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs   inactive
use_samba_home_dirs inactive
use_syslognginactive
winbind_disable_trans   inactive
ypbind_disable_transinactive
/snip

When i joined the system to AD and restarted winbind, it  did not give any
selinux errors on /var/log/message, or console or /var/log/audit/audit.log

snip
[EMAIL PROTECTED] ~]# service winbind restart

Shutting down Winbind services:[  OK  ]
Starting Winbind services: [  OK  ]
/snip

So can you paste your selinux messages, that you are getting, and the samba
version.  Or if you feel you can do the following ,  without making selinux
to permissive or disabling it.

#getsebool -P winbind_disable_trans = 1

Regards
Niranjan

On Tue, Jun 3, 2008 at 11:26 PM, Thomas Leavitt [EMAIL PROTECTED]
wrote:

 SELinux appears to be interfering with winbind's functionality.



 I have the lastest policy package installed:



 selinux-policy-targeted-1.17.30-2.149



 which allegedly solves this problem according to the RedHat knowledge
 base, but clearly does not. I have to turn off SELinux by using
 setenforce 0 (permissive) to get winbind to work at all, and based on
 what I see in the log files, disabling it completely is necessary to
 prevent all interference.



 Am I missing something? Are other folks having  this problem?



 Regards,

 Thomas Leavitt

 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SELinux and samba/winbind w/ADS on RHEL 4.6

[mallapadi niranjan]

oops

In my previous post i made a typo


#getsebool -P winbind_disable_trans = 1

it should be


#setsebool -P winbind_disable_trans = 1

On Wed, Jun 4, 2008 at 10:25 AM, mallapadi niranjan 
[EMAIL PROTECTED] wrote:

 Hi,

 I am not seeing this issue on RHEL4 update 6. but i am using

 samba-3.0.25b-1.el4_6.5
 samba-common-3.0.25b-1.el4_6.5.i386
 samba-client-3.0.25b-1.el4_6.5.i386

 My sestatus is having as below

 snip
 [EMAIL PROTECTED] ~]# sestatus
 SELinux status: enabled
 SELinuxfs mount:/selinux
 Current mode:   enforcing
 Mode from config file:  enforcing
 Policy version: 18
 Policy from config file:targeted

 Policy booleans:
 allow_syslog_to_console inactive
 allow_ypbindinactive
 dhcpd_disable_trans inactive
 httpd_builtin_scripting active
 httpd_disable_trans inactive
 httpd_enable_cgiactive
 httpd_enable_homedirs   active
 httpd_ssi_exec  active
 httpd_tty_comm  inactive
 httpd_unified   active
 mysqld_disable_transinactive
 named_disable_trans inactive
 named_write_master_zonesinactive
 nscd_disable_trans  inactive
 ntpd_disable_trans  inactive
 pegasus_disable_trans   inactive
 portmap_disable_trans   inactive
 postgresql_disable_transinactive
 snmpd_disable_trans inactive
 squid_disable_trans inactive
 syslogd_disable_trans   inactive
 use_nfs_home_dirs   inactive
 use_samba_home_dirs inactive
 use_syslognginactive
 winbind_disable_trans   inactive
 ypbind_disable_transinactive
 /snip

 When i joined the system to AD and restarted winbind, it  did not give any
 selinux errors on /var/log/message, or console or /var/log/audit/audit.log

 snip
 [EMAIL PROTECTED] ~]# service winbind restart

 Shutting down Winbind services:[  OK  ]
 Starting Winbind services: [  OK  ]
 /snip

 So can you paste your selinux messages, that you are getting, and the samba
 version.  Or if you feel you can do the following ,  without making selinux
 to permissive or disabling it.

 #getsebool -P winbind_disable_trans = 1

 Regards
 Niranjan


 On Tue, Jun 3, 2008 at 11:26 PM, Thomas Leavitt [EMAIL PROTECTED]
 wrote:

 SELinux appears to be interfering with winbind's functionality.



 I have the lastest policy package installed:



 selinux-policy-targeted-1.17.30-2.149



 which allegedly solves this problem according to the RedHat knowledge
 base, but clearly does not. I have to turn off SELinux by using
 setenforce 0 (permissive) to get winbind to work at all, and based on
 what I see in the log files, disabling it completely is necessary to
 prevent all interference.



 Am I missing something? Are other folks having  this problem?



 Regards,

 Thomas Leavitt

 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/listinfo/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SELinux

[Elio Tondo]

From: Matt Herzog [EMAIL PROTECTED]

 I have been struggling with getting my Fedora Linux clients to be able to
 authenticate to a Microsoft AD in the past week and wonder how much of the
 problem was due to SELinux. My Debian machines can accept AD logins and even
 create home directories and dot files from /etc/skel. I know FC5 does PAM
 differently than Debian, but I'm wondering, does anyone on this list have
 winbind logins to FC5 or FC4 working? Even with SELinux disabled I'm starting 
 to wonder if it's possible.

Please see my post on 09/06, reposted also on 09/08. It was working for me
with 3.0.14a and stopped working with 3.0.23a; can you specify your version
and send some debugging output to see if our problems are similar? BTW,
I have SELinux disabled.

Elio

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SElinux and Samba

[Jayesh Kamdar]

Thanks man. That did the trick and I am happy.


Yvon Dubinsky [EMAIL PROTECTED] wrote: Ok, so there is not a problem with 
SElinux and Samba.  But it is a 
pain to set up so it will work right.   I finally figured out how to 
set up SE and Samba so you can be able to write and delete files.

I found in one of that man pages man samba_selinux, you can just 
disable SE for samba.   I am sure there are other ways also but this 
is what I have found so far.   I tried to just open SE to samba but 
that has not worked as of yet.   What does work is typing -
 setsebool -P smbd_disable_trans 1 - this disables SE for just 
samba then restart samba with - service smb restart.  I have not 
found a way to just pass samba through SE as of yet with out 
disabling SE for the samba demon.

- yvon

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



Jayesh Kamdar
[EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SElinux and Samba

[Don Meyer]

At 09:21 AM 5/5/2006, Yvon Dubinsky wrote:
I found in one of that man pages man samba_selinux, you can just 
disable SE for samba.   I am sure there are other ways also but this 
is what I have found so far.   I tried to just open SE to samba but 
that has not worked as of yet.   What does work is typing -  
setsebool -P smbd_disable_trans 1 - this disables SE for just samba 
then restart samba with - service smb restart.  I have not found a 
way to just pass samba through SE as of yet with out disabling SE 
for the samba demon.


I'm a little too stubborn for a quick fix like this, so I went the 
route of adding the specific rules needed to allow SMB/Winbindd to 
run without throwing AVC errors.  I'm doing this on RHEL4 boxes, 
which install with SElinux enforcing targeted by default -- this 
allows me to leave SElinux active for its additional protections.


Doing it this way requires a little extra work, though...

First, you need to install the selinux-policy-targeted-sources 
package, if not already installed.


When I build the RPMs from the source tarball, the first upgrade from 
the default RHEL4 packages changes the tdb directory from 
/var/cache/samba/ to /var/lib/samba/.   This is accomplished by 
creating /var/lib/samba/ -- Naturally, this royally mucks up the 
SElinux labelings/permissions.   So, immediately after the first 
upgrade from RHEL4 samba packages, (before starting either smb or 
winbind) I need to do the following:


chcon -Rt samba_var_t /var/lib/samba
mkdir /var/lib/samba/winbindd_privileged/
chcon -t winbind_var_run_t /var/lib/samba/winbindd_privileged/


Then, I drop the following file into the directory 
/etc/selinux/targeted/src/policy/domains/misc/:


winbind_add.te:
--
allow winbind_t etc_runtime_t:file read;
allow winbind_t proc_t:file read;
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t:dir { search getattr };
allow winbind_t var_lib_t:dir search;
allow winbind_t samba_log_t:dir { create setattr };
allow winbind_t unconfined_t:fifo_file read;
allow winbind_t var_lib_t:dir search;
--

This file is what I currently need to add to the default SElinux 
configuration to get Samba 3.0.23pre1 to work.  What is needed seems 
to change with each new version of Samba...  (The default SElinux 
ruleset for 3.0.10-1.3E.6 can be found in 
/etc/selinux/targeted/src/policy/domains/program/winbind.te.)


Finally, after this extra policy file is in place, you should chdir 
to /etc/selinux/targeted/src/policy/, and run the following command:


make load


After this, you should be able to start/restart the smb  winbind 
services without complaints.


Now, some might ask How do you derive these additional rules?

On a clean install, I install the packages, make the necessary mods, 
and then set SElinux to non-enforcing:


setenforce 0

I then start tail -f /var/log/messages  /tmp/samba_avc.log in a 
separate console.


Next, I start the smb  winbind services and get the running 
properly.   Running in non-enforcing mode allows all the error 
messages to be generated in the logs, but the operations are allowed 
to complete successfully.   Once the services are running, I do a 
couple user queries to prime the winbind system and have it sync with 
the AD, etc.  I then terminate the tail in the other console, and run 
the following command:


audit2allow -i /tmp/samba_avc.log

This outputs (to stdout) the additional rules necessary to allow all 
of the operations that generated AVC error messages in the log 
excerpt.   This should be what is necessary to get everything running 
-- I copy these rules into the file I call winbind_add.te in 
/etc/selinux/targeted/src/domains/misc/, and run the make load 
command to force the system to reload the SElinux rules.


Finally, I can shut down the smb  winbind services, run setenforce 
1 to re-enable SElinux enforcing mode, and then restart smb  
winbind.   If all goes well, this should not generate any AVC errors...


Hope this helps someone...
-D


Don Meyer   [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

  They that can give up essential liberty to obtain a little 
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba