Ok, thanks. But does this make sense given that we?ve been testing
successfully for more than eight months and development and staging? With
selinux enabled.
Thoughts?
On Mon, Mar 8, 2021 at 3:32 PM Jeremy Allison <jra at samba.org> wrote:
> On Mon, Mar 08, 2021 at 03:24:23PM -0500, Robert Buck via samba wrote:
> >Hi Folks
> >
> >Just wanted to pass this by you to see if anyone else running on Red
> >Hat Enterprise Linux ran into this SeLinux issue before. The issue is
this
> >sort of message in syslog:
> >
> >*Mar 8 16:28:15 use1-samba-server-s01-use1-01 setroubleshoot[3060874]:
> >SELinux is preventing /usr/sbin/winbindd from sendto access on the
> >unix_dgram_socket /var/lib/samba/private/msg.sock/3060870. For complete
> >SELinux messages run: sealert -l a77de726-5087-4302-9cc2-5b663a849ef6*
> >
> >The solution, we think, may be to add this policy. But can someone
confirm
> >this, or help me find a better solution?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >*module winbindd_unix_dgram_socket 1.0;require { type
> >unconfined_service_t; type winbind_t; class unix_dgram_socket
> >sendto;}#============= winbind_t ==============allow winbind_t
> >unconfined_service_t:unix_dgram_socket sendto;*
> >
> >But I am a little confused with the *unconfined_service_t* type.
> >
> >Any opinions?
>
> All the Samba daemons use messaging sockets in
> /var/lib/samba/private/msg.sock/
> to communicate, so yes, SELinux is going to have to allow that.
>
> --
BOB BUCK
SENIOR PLATFORM SOFTWARE ENGINEER
SKIDMORE, OWINGS & MERRILL
7 WORLD TRADE CENTER
250 GREENWICH STREET
NEW YORK, NY 10007
T (212) 298-9624
ROBERT.BUCK at SOM.COM