On 3/8/21 5:15 PM, Robert Buck via samba wrote:> Ok, thanks. But does this make sense given that we?ve been testing
> successfully for more than eight months and development and staging? With
> selinux enabled.
Unless you have changed some files contexts manually (chcon) you should
try doing an autorelabel of the entire filesystem, the easiest way is to
do 'touch /.autorelabel' and reboot
https://wiki.centos.org/HowTos/SELinux#Relabel_Complete_Filesystem.
You can do the autorelabel too if you remember your chcon
customizations. If you have done it I recommend you use semanage
https://wiki.centos.org/HowTos/SELinux#Relabeling_Files.
You can use restorecon too:
https://wiki.centos.org/HowTos/SELinux#Restore_Default_Security_Contexts
If you are using the RHEL provided Samba packages and their provided
policy, after relabeling just to discard something wrong in your
labeling, I recommend you report it as a bug to Red Hat, because the
policy and their provided package should work fine.
You problem could be some lingering socket file or directory inside
/var/lib/samba that could have the wrong context (maybe it was run for a
time without SELinux disabled, or ran a test with another Samba compiled
outside PREFIX=/usr and that generated files without the proper context.
Relabeling should fix that if that is the problem.
>
> Thoughts?
>
> On Mon, Mar 8, 2021 at 3:32 PM Jeremy Allison <jra at samba.org>
wrote:
>
>> On Mon, Mar 08, 2021 at 03:24:23PM -0500, Robert Buck via samba wrote:
>>> Hi Folks
>>>
>>> Just wanted to pass this by you to see if anyone else running on
Red
>>> Hat Enterprise Linux ran into this SeLinux issue before. The issue
is this
>>> sort of message in syslog:
>>>
>>> *Mar 8 16:28:15 use1-samba-server-s01-use1-01
setroubleshoot[3060874]:
>>> SELinux is preventing /usr/sbin/winbindd from sendto access on the
>>> unix_dgram_socket /var/lib/samba/private/msg.sock/3060870. For
complete
>>> SELinux messages run: sealert -l
a77de726-5087-4302-9cc2-5b663a849ef6*
>>>
>>> The solution, we think, may be to add this policy. But can someone
confirm
>>> this, or help me find a better solution?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *module winbindd_unix_dgram_socket 1.0;require { type
>>> unconfined_service_t; type winbind_t; class unix_dgram_socket
>>> sendto;}#============= winbind_t ==============allow winbind_t
>>> unconfined_service_t:unix_dgram_socket sendto;*
>>>
>>> But I am a little confused with the *unconfined_service_t* type.
>>>
>>> Any opinions?
>>
>> All the Samba daemons use messaging sockets in
>> /var/lib/samba/private/msg.sock/
>> to communicate, so yes, SELinux is going to have to allow that.
>>
>> --
>
> BOB BUCK
> SENIOR PLATFORM SOFTWARE ENGINEER
>
> SKIDMORE, OWINGS & MERRILL
> 7 WORLD TRADE CENTER
> 250 GREENWICH STREET
> NEW YORK, NY 10007
> T (212) 298-9624
> ROBERT.BUCK at SOM.COM
>