CentOS - May 2010 - Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

On May 25, 2010, at 8:25 PM, Whit Blauvelt <whit at transpect.com> wrote:
> On Tue, May 25, 2010 at 07:55:12PM -0400, Whit Blauvelt wrote:
>> On Tue, May 25, 2010 at 04:33:53PM -0700, Jerry Franz wrote:
>>
>>> Are you running with SELinux on?
>
> You were right Jerry!
>
> echo 0 > /selinux/enforce
>
> and then /etc/init.d/smb restart works! Thank you much Jerry!
>
> Now why doesn't that fine piece of government work, selinux, do  
> something
> standard and useful like log when it's instituting breakage?? I get  
> that
> it's doing it "for your own good," but what good is it if it
doesn't
> tell
> you what it's doing? The _first place_ I looked when we ran into this
> problem was the logs. Nada. Zilch.
>
> Programs that try to be smarter than the root user are annoying  
> enough.
> Programs that do that and don't try to educate the root user while  
> they're
> doing it are worse. There are standards for logging. Selinux is  
> ignoring
> them. If it's going to be breaking stuff by default, and failing to  
> log the
> breakage by default, that's not remotely good. Yet that's how
CentOS
> installs it. Are we downstream of some Redhat brilliance here?
Selinux alerts are in /var/log/audit/audit.log

The problem is if smbd doesn't create the messages.tdb file then it  
won't have the selinux rights.

That file can be deleted and will be recreated on smbd start, it's  
just a cache file.

-Ross

On Tue, May 25, 2010 at 08:52:58PM -0400, Ross Walker wrote:
> Selinux alerts are in /var/log/audit/audit.log
Thank you for that. Cryptic, but there it is.
> The problem is if smbd doesn't create the messages.tdb file then it  
> won't have the selinux rights.
I don't follow you. What else could have ever created the messages.tbd file?
These were virgin OS installs. Whatever's in /var/cache/samba, at the time
that smbd wouldn't run - which is right of the bat or at least as soon as it
mattered to us, after our config was in place - is there only because either
the CentOS install, or samba itself in trying to start it from
/etc/init.d/smb, put it there. What else could have ever created
messages.tbd than smbd?

If selinux's real complaint is that it doesn't like the files in
/etc/samba
being copied in from another system, that would make some sense - except
that I'm not finding any mention of any of those files in the audit logs.
And that still doesn't say why it starts having a problem with
/var/cache/samba/messages.tbd. Does it?
> That file can be deleted and will be recreated on smbd start, it's  
> just a cache file.
So in theory if I'd nuked that file smbd would have been happy?

Then why was it also happy with "sh /etc/init.d/smb start" but not
"/etc/init.d/smb start". I'm happy to become more educated on
this. But if
invoking a major daemon startup that selinux wants to block is as easy as
that, selinux is window dressing, not security.

What am I missing about how that's anything like useful?

Regards,
Whit