At 09:21 AM 5/5/2006, Yvon Dubinsky wrote:>I found in one of that man pages "man samba_selinux", you can just
>disable SE for samba. I am sure there are other ways also but this
>is what I have found so far. I tried to just open SE to samba but
>that has not worked as of yet. What does work is typing - "
>setsebool -P smbd_disable_trans 1" - this disables SE for just samba
>then restart samba with - "service smb restart". I have not found
a
>way to just pass samba through SE as of yet with out disabling SE
>for the samba demon.
I'm a little too stubborn for a quick fix like this, so I went the
route of adding the specific rules needed to allow SMB/Winbindd to
run without throwing AVC errors. I'm doing this on RHEL4 boxes,
which install with SElinux enforcing targeted by default -- this
allows me to leave SElinux active for its additional protections.
Doing it this way requires a little extra work, though...
First, you need to install the selinux-policy-targeted-sources
package, if not already installed.
When I build the RPMs from the source tarball, the first upgrade from
the default RHEL4 packages changes the tdb directory from
/var/cache/samba/ to /var/lib/samba/. This is accomplished by
creating /var/lib/samba/ -- Naturally, this royally mucks up the
SElinux labelings/permissions. So, immediately after the first
upgrade from RHEL4 samba packages, (before starting either smb or
winbind) I need to do the following:
chcon -Rt samba_var_t /var/lib/samba
mkdir /var/lib/samba/winbindd_privileged/
chcon -t winbind_var_run_t /var/lib/samba/winbindd_privileged/
Then, I drop the following file into the directory
/etc/selinux/targeted/src/policy/domains/misc/:
winbind_add.te:
----------------------------------------------------------
allow winbind_t etc_runtime_t:file read;
allow winbind_t proc_t:file read;
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t:dir { search getattr };
allow winbind_t var_lib_t:dir search;
allow winbind_t samba_log_t:dir { create setattr };
allow winbind_t unconfined_t:fifo_file read;
allow winbind_t var_lib_t:dir search;
----------------------------------------------------------
This file is what I currently need to add to the default SElinux
configuration to get Samba 3.0.23pre1 to work. What is needed seems
to change with each new version of Samba... (The default SElinux
ruleset for 3.0.10-1.3E.6 can be found in
"/etc/selinux/targeted/src/policy/domains/program/winbind.te".)
Finally, after this "extra" policy file is in place, you should chdir
to "/etc/selinux/targeted/src/policy/", and run the following command:
make load
After this, you should be able to start/restart the smb & winbind
services without complaints.
Now, some might ask "How do you derive these additional rules?"
On a clean install, I install the packages, make the necessary mods,
and then set SElinux to non-enforcing:
setenforce 0
I then start "tail -f /var/log/messages > /tmp/samba_avc.log" in a
separate console.
Next, I start the smb & winbind services and get the running
properly. Running in non-enforcing mode allows all the error
messages to be generated in the logs, but the operations are allowed
to complete successfully. Once the services are running, I do a
couple user queries to prime the winbind system and have it sync with
the AD, etc. I then terminate the tail in the other console, and run
the following command:
audit2allow -i /tmp/samba_avc.log
This outputs (to stdout) the additional rules necessary to allow all
of the operations that generated AVC error messages in the log
excerpt. This should be what is necessary to get everything running
-- I copy these rules into the file I call winbind_add.te in
"/etc/selinux/targeted/src/domains/misc/", and run the "make
load"
command to force the system to reload the SElinux rules.
Finally, I can shut down the smb & winbind services, run "setenforce
1" to re-enable SElinux enforcing mode, and then restart smb &
winbind. If all goes well, this should not generate any AVC errors...
Hope this helps someone...
-D
Don Meyer <dlmeyer@uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759