LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-22-2008, 04:01 AM   #1
WorldIsNotFair
Member
 
Registered: Jun 2008
Location: Jakarta
Distribution: CentOS 5
Posts: 89

Rep: Reputation: 17
samba pdc selinux problem "rename" %m.log


OS = RHEL 5.1
Samba v3.0.25b-0.el5.4

Every time user logout / login, this selinux warning happen.

SELinux troubleshooter summary

selinux is preventing samba (/usr/sbin/smbd) "rename" win2003.log (samba_log_t)

SMB.conf

workgroup = HeinzCORP
server string = Samba PDC Version %v
netbios name = Server120
encrypt passwords = yes
log file = /var/log/samba/%m.log <-- problem ?
max log size = 50
passwd program = /usr/bin/passwd %u
passwd chat = *NEW*UNIX*PASSWORD* %n\n *RETYPE*New*UNIX*Password* %n\n
log level = 2
unix password sync = yes
logon script = %U.bat
logon path = \\%L\profiles\%a\%U
logon drive = N:
logon home = \\%L\%U\Win-profile
domain logons = yes
os level = 65
prefered master = yes
domain master = yes
wins support = yes
hosts allow = 192.168.0.

This is getsebool grep samba

samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> on
samba_share_nfs --> off
use_samba_home_dirs --> off


So brotha, please give me a hand on this ...
How is the practice in the real world ?
 
Old 07-23-2008, 01:49 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by WorldIsNotFair View Post
selinux is preventing samba (/usr/sbin/smbd) "rename" win2003.log (samba_log_t)
Below that message is a line with the original access vector cache (AVC) warning from /var/log/audit/audit.log (or /var/log/messages if you don't run Auditd). If you echo that line and pipe it through 'audit2allow' you should get a rule something like "allow smbd_t samba_log_t:file rename;". This rule you can add to your local policy module. If that does not work then you can disable SELinux protection for Samba by setting 'setsebool -P smbd_disable_trans 1' and restart Samba. Again, this disables SELinux protection for Samba, and given the fact Samba doesn't have a spotless past with respect to vulnerabilities you should at the same time beef up your auditing and security and submit a ticket to Red Hats bug tracker.
 
Old 07-23-2008, 09:15 PM   #3
WorldIsNotFair
Member
 
Registered: Jun 2008
Location: Jakarta
Distribution: CentOS 5
Posts: 89

Original Poster
Rep: Reputation: 17
Thanks bro unSpawn,

I think disable samba from selinux is the best now ( I get another denial further now ..)

I should send Redhat inc a ticket bout this.

Really appreciate the comment bro ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"../system.h :selinux/selinux.h:no such file or directory" ashmita04 Linux From Scratch 4 02-05-2009 03:36 AM
samba PDC Win98 client with roaming profile importing HKCU "NoDevMgrPage" itzamecwp Linux - Server 0 01-18-2007 04:15 PM
New SQUID user: How to clear the "access.log" and "store.log" automatically? yuzuohong Linux - Networking 2 12-02-2006 05:37 AM
"Edit and rename swaret conf" or whatever. PROBLEM! Kjetil4455 Slackware 8 04-14-2004 03:00 PM
Samba PDC - "NET TIME" tarballedtux Linux - Networking 1 01-01-2003 09:01 AM


All times are GMT -5. The time now is 12:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration