LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Samba and SELinux issue on a Fedora 9 box. (http://www.linuxquestions.org/questions/linux-server-73/samba-and-selinux-issue-on-a-fedora-9-box-664418/)

algogeek 08-21-2008 03:03 PM

Samba and SELinux issue on a Fedora 9 box.
 
Hi friends,

I have a server on my network running samba and I want this to share /samba/ftp/ on my network as a read write folder.

The server is running Fedora 9 with SELinux in enforcing mode. I've allowed all Samba ports through the firewall and changed the permissions of the directories by: chmod o+rw /samba and chmod o+rw /samba/ftp/

However, when I'm trying to connect to this folder through my network by doing ftp://<server-ip> the page shows that it has failed to connect. Also, from Windows Vista machines on my network as well, the connection fails.

Other linux systems on the network have the same problems, none can connect. However, from the server, doing ftp://<server_name> shows a directory index which is empty but should not be since I did manually put some files in the folder to ensure that the setup was ok.

I've checked the permissions of the folder by writing to it as different non root users and it's ok. I've also labeled the folders to be shared as samba_share_t.

Connecting from all the machines on the network fails, while connecting from the server itself using the server name works - but only through firefox. Using the ip address of the server does not work.

Here's my smb.conf:

Code:

        workgroup = WORKGROUP
        server string = Samba Server Version %v

;      netbios name = MYSERVER

        interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;      hosts allow = 127. 192.168.12. 192.168.13. 192.168.1.
...
...
...
[ftp]
        path = /samba/ftp
        writeable = yes
;      browseable = yes
        guest ok = yes

Ideas?

mjmwired 08-21-2008 10:12 PM

Did you check any of your logs for potential clues? (/var/log/messages, /var/log/samba)

billymayday 08-21-2008 11:04 PM

First step is to rule SELinux out. Try "setenforce 0" and see if you can connect. If you can it's an SELinux issue, it you can't, it's not.

setenforce 1 to turn it back on

algogeek 08-22-2008 04:50 AM

My log.smbd file shows:
Quote:

[2008/08/22 15:15:21, 0] printing/print_cups.c:cups_connect(68)
Unable to connect to CUPS server localhost:631 - Connection refused
[2008/08/22 15:15:21, 0] printing/print_cups.c:cups_connect(68)
Unable to connect to CUPS server localhost:631 - Connection refused

And here's log.nmbd:

Quote:

[2008/08/22 15:16:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name ASHESH-PC<20> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name ASHESH-PC<00> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name WORKGROUP<00> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172)
Error - should be sent to WINS server
But I don't want to run CUPS or anything. I just want a simple ftp server to which my network users can have file access.

But this does not explain why I'm unable to access the folder. There are no messages about permissions being denied to samba for the folders it wants access to. I tried with SELinux off by setenforce 0 but it still didn't work.
Can anyone please tell me whats going on here?

PS - Now my windows machines can see the server on the network, but I'm getting SELinux alerts:
Code:

Summary:

SELinux is preventing smbd (smbd_t) "signal" to <Unknown> (unconfined_t).

Detailed Description:

SELinux denied access requested by smbd. It is not expected that this access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:smbd_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        smbd
Source Path                  /usr/sbin/smbd
Port                          <Unknown>
Host                          india
Source RPM Packages          samba-3.2.0-2.17.fc9
Target RPM Packages         
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled              True
Policy Type                  targeted
MLS Enabled                  True
Enforcing Mode                Enforcing
Plugin Name                  catchall
Host Name                    india
Platform                      Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
                              4 14:08:11 EDT 2008 i686 i686
Alert Count                  8
First Seen                    Fri 22 Aug 2008 03:25:48 PM IST
Last Seen                    Fri 22 Aug 2008 03:26:38 PM IST
Local ID                      9a90ecee-d593-43bc-b417-d37f331483d3
Line Numbers                 

Raw Audit Messages           

host=india type=AVC msg=audit(1219398998.563:53): avc:  denied  { signal } for  pid=3338 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=india type=SYSCALL msg=audit(1219398998.563:53): arch=40000003 syscall=37 success=no exit=-13 a0=d0e a1=a a2=b7f77ff4 a3=0 items=0 ppid=1 pid=3338 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)

Making changes to the samba configuration via the GUI also triggers these AVC denials:
Code:

Summary:

SELinux is preventing the nmbd from using potentially mislabeled files
(/home/ashesh/.xsession-errors).

Detailed Description:

SELinux has denied nmbd access to potentially mislabeled file(s)
(/home/ashesh/.xsession-errors). This means that SELinux will not allow nmbd to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want nmbd to access this files, you need to relabel them using restorecon
-v '/home/ashesh/.xsession-errors'. You might want to relabel the entire
directory using restorecon -R -v '/home/ashesh'.

Additional Information:

Source Context                unconfined_u:system_r:nmbd_t:s0
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/ashesh/.xsession-errors [ file ]
Source                        nmbd
Source Path                  /usr/sbin/nmbd
Port                          <Unknown>
Host                          india
Source RPM Packages          samba-3.2.0-2.17.fc9
Target RPM Packages         
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled              True
Policy Type                  targeted
MLS Enabled                  True
Enforcing Mode                Enforcing
Plugin Name                  home_tmp_bad_labels
Host Name                    india
Platform                      Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
                              4 14:08:11 EDT 2008 i686 i686
Alert Count                  13
First Seen                    Tue 19 Aug 2008 09:28:35 AM IST
Last Seen                    Fri 22 Aug 2008 03:33:03 PM IST
Local ID                      be204866-0293-47e7-a2f5-b4df5fe16093
Line Numbers                 

Raw Audit Messages           

host=india type=AVC msg=audit(1219399383.70:63): avc:  denied  { append } for  pid=3600 comm="nmbd" path="/home/ashesh/.xsession-errors" dev=dm-0 ino=141271 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

host=india type=SYSCALL msg=audit(1219399383.70:63): arch=40000003 syscall=11 success=yes exit=0 a0=83e69d0 a1=83e6840 a2=83e6d10 a3=0 items=0 ppid=3599 pid=3600 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)


billymayday 08-22-2008 05:01 AM

Can you post the full config?

algogeek 08-22-2008 06:54 AM

Code:

#======================= Global Settings =====================================

[global]

# ----------------------- Netwrok Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
        workgroup = workgroup
        server string = Samba Server Version %v

;        netbios name = MYSERVER

        interfaces = lo eth0
;        hosts allow = 127 192.168.1.

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

        # logs split per machine
        log file = /var/log/samba/log.%m
        # max 50KB per log file, then rotate
        max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

        security = server
        passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#  password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#  password server = *


;        realm = MY_REALM

;        password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#

;        domain master = yes
;        domain logons = yes

        # the login script name depends on the machine name
;        logon script = %m.bat
        # the login script name depends on the unix user used
;        logon script = %u.bat
;        logon path = \\%L\Profiles\%u
        # disables profiles support by specifing an empty path
;        logon path =         

;        add user script = /usr/sbin/useradd "%u" -n -g users
;        add group script = /usr/sbin/groupadd "%g"
;        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;        delete user script = /usr/sbin/userdel "%u"
;        delete user from group script = /usr/sbin/userdel "%u" "%g"
;        delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;        local master = no
;        os level = 33
;        preferred master = yes

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#  behalf of a non WINS capable client, for this to work there must be
#  at least one        WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;        wins support = yes
;        wins server = w.x.y.z
;        wins proxy = yes

;        dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option

;        load printers = yes
        cups options = raw

;        printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;        printcap name = lpstat
;        printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;        map archive = no
;        map hidden = no
;        map read only = no
;        map system = no
;        encrypt passwords = yes
;        guest ok = no
;        guest account = nobody
        password server = india
;        store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
;        valid users = %S
;        valid users = MYDOMAIN\%S

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
;        guest ok = no
;        writable = No
        printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
;        [netlogon]
;        comment = Network Logon Service
;        path = /var/lib/samba/netlogon
;        guest ok = yes
;        writable = no
;        share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;        [Profiles]
;        path = /var/lib/samba/profiles
;        browseable = no
;        guest ok = yes


# A publicly accessible directory, but read only, except for people in
# the "staff" group
;        [public]
;        comment = Public Stuff
;        path = /home/samba
;        public = yes
;        writable = yes
;        printable = no
;        write list = +staff

[ftp]
        path = /samba/ftp
        writeable = yes
;        browseable = yes
        guest ok = yes


algogeek 08-23-2008 11:42 AM

Huh? .

algogeek 08-23-2008 12:33 PM

Yet another AVC Denial:
Code:


Summary:

SELinux is preventing smbd (smbd_t) "signal" to <Unknown> (nmbd_t).

Detailed Description:

SELinux denied access requested by smbd. It is not expected that this access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:smbd_t:s0
Target Context                system_u:system_r:nmbd_t:s0
Target Objects                None [ process ]
Source                        smbd
Source Path                  /usr/sbin/smbd
Port                          <Unknown>
Host                          india
Source RPM Packages          samba-3.2.0-2.17.fc9
Target RPM Packages         
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled              True
Policy Type                  targeted
MLS Enabled                  True
Enforcing Mode                Enforcing
Plugin Name                  catchall
Host Name                    india
Platform                      Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
                              4 14:08:11 EDT 2008 i686 i686
Alert Count                  4
First Seen                    Sat 23 Aug 2008 10:12:28 PM IST
Last Seen                    Sat 23 Aug 2008 10:12:41 PM IST
Local ID                      85e3e46d-b888-49eb-b2b9-30fa154a548c
Line Numbers                 

Raw Audit Messages           

host=india type=AVC msg=audit(1219509761.32:161): avc:  denied  { signal } for  pid=2423 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=process

host=india type=SYSCALL msg=audit(1219509761.32:161): arch=40000003 syscall=37 success=no exit=-13 a0=96f a1=a a2=b7f3cff4 a3=0 items=0 ppid=1 pid=2423 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)


algogeek 09-07-2008 10:54 AM

Can anyone please clarify?

unSpawn 09-07-2008 01:01 PM

Quote:

Originally Posted by algogeek (Post 3272435)
Can anyone please clarify?

Exactly what is says under "Allowing Access":
- You can generate a local policy module to allow this access
- You can disable SELinux which is not recommended.
* And you should file a bug report against this package.

For allowing acces you just follow what's outlined for generating a local policy module.
Just try it. If it doesn't work tell us what you did and what happened.


All times are GMT -5. The time now is 05:47 AM.