LinuxQuestions.org - Samba and SELinux issue on a Fedora 9 box.

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Samba and SELinux issue on a Fedora 9 box. (https://www.linuxquestions.org/questions/linux-server-73/samba-and-selinux-issue-on-a-fedora-9-box-664418/)

Samba and SELinux issue on a Fedora 9 box.

Hi friends,

I have a server on my network running samba and I want this to share /samba/ftp/ on my network as a read write folder.

The server is running Fedora 9 with SELinux in enforcing mode. I've allowed all Samba ports through the firewall and changed the permissions of the directories by: chmod o+rw /samba and chmod o+rw /samba/ftp/

However, when I'm trying to connect to this folder through my network by doing ftp://<server-ip> the page shows that it has failed to connect. Also, from Windows Vista machines on my network as well, the connection fails.

Other linux systems on the network have the same problems, none can connect. However, from the server, doing ftp://<server_name> shows a directory index which is empty but should not be since I did manually put some files in the folder to ensure that the setup was ok.

I've checked the permissions of the folder by writing to it as different non root users and it's ok. I've also labeled the folders to be shared as samba_share_t.

Connecting from all the machines on the network fails, while connecting from the server itself using the server name works - but only through firefox. Using the ip address of the server does not work.

Here's my smb.conf:

Code:

        workgroup = WORKGROUP

        server string = Samba Server Version %v



;      netbios name = MYSERVER



        interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24

;      hosts allow = 127. 192.168.12. 192.168.13. 192.168.1.

...

...

...

[ftp]

        path = /samba/ftp

        writeable = yes

;      browseable = yes

        guest ok = yes

Ideas?

Did you check any of your logs for potential clues? (/var/log/messages, /var/log/samba)

First step is to rule SELinux out. Try "setenforce 0" and see if you can connect. If you can it's an SELinux issue, it you can't, it's not.

setenforce 1 to turn it back on

My log.smbd file shows:

Quote:

[2008/08/22 15:15:21, 0] printing/print_cups.c:cups_connect(68)
Unable to connect to CUPS server localhost:631 - Connection refused
[2008/08/22 15:15:21, 0] printing/print_cups.c:cups_connect(68)
Unable to connect to CUPS server localhost:631 - Connection refused

And here's log.nmbd:

Quote:

[2008/08/22 15:16:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name ASHESH-PC<20> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name ASHESH-PC<00> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name WORKGROUP<00> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172)
Error - should be sent to WINS server

But I don't want to run CUPS or anything. I just want a simple ftp server to which my network users can have file access.

But this does not explain why I'm unable to access the folder. There are no messages about permissions being denied to samba for the folders it wants access to. I tried with SELinux off by setenforce 0 but it still didn't work.
Can anyone please tell me whats going on here?

PS - Now my windows machines can see the server on the network, but I'm getting SELinux alerts:

Code:

Summary:



SELinux is preventing smbd (smbd_t) "signal" to <Unknown> (unconfined_t).



Detailed Description:



SELinux denied access requested by smbd. It is not expected that this access is

required by smbd and this access may signal an intrusion attempt. It is also

possible that the specific version or configuration of the application is

causing it to require additional access.



Allowing Access:



You can generate a local policy module to allow this access - see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.



Additional Information:



Source Context                unconfined_u:system_r:smbd_t:s0

Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1

                              023

Target Objects                None [ process ]

Source                        smbd

Source Path                  /usr/sbin/smbd

Port                          <Unknown>

Host                          india

Source RPM Packages          samba-3.2.0-2.17.fc9

Target RPM Packages          

Policy RPM                    selinux-policy-3.3.1-84.fc9

Selinux Enabled              True

Policy Type                  targeted

MLS Enabled                  True

Enforcing Mode                Enforcing

Plugin Name                  catchall

Host Name                    india

Platform                      Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug

                              4 14:08:11 EDT 2008 i686 i686

Alert Count                  8

First Seen                    Fri 22 Aug 2008 03:25:48 PM IST

Last Seen                    Fri 22 Aug 2008 03:26:38 PM IST

Local ID                      9a90ecee-d593-43bc-b417-d37f331483d3

Line Numbers                  



Raw Audit Messages            



host=india type=AVC msg=audit(1219398998.563:53): avc:  denied  { signal } for  pid=3338 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process



host=india type=SYSCALL msg=audit(1219398998.563:53): arch=40000003 syscall=37 success=no exit=-13 a0=d0e a1=a a2=b7f77ff4 a3=0 items=0 ppid=1 pid=3338 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)

Making changes to the samba configuration via the GUI also triggers these AVC denials:

Code:

Summary:



SELinux is preventing the nmbd from using potentially mislabeled files

(/home/ashesh/.xsession-errors).



Detailed Description:



SELinux has denied nmbd access to potentially mislabeled file(s)

(/home/ashesh/.xsession-errors). This means that SELinux will not allow nmbd to

use these files. It is common for users to edit files in their home directory or

tmp directories and then move (mv) them to system directories. The problem is

that the files end up with the wrong file context which confined applications

are not allowed to access.



Allowing Access:



If you want nmbd to access this files, you need to relabel them using restorecon

-v '/home/ashesh/.xsession-errors'. You might want to relabel the entire

directory using restorecon -R -v '/home/ashesh'.



Additional Information:



Source Context                unconfined_u:system_r:nmbd_t:s0

Target Context                system_u:object_r:user_home_t:s0

Target Objects                /home/ashesh/.xsession-errors [ file ]

Source                        nmbd

Source Path                  /usr/sbin/nmbd

Port                          <Unknown>

Host                          india

Source RPM Packages          samba-3.2.0-2.17.fc9

Target RPM Packages          

Policy RPM                    selinux-policy-3.3.1-84.fc9

Selinux Enabled              True

Policy Type                  targeted

MLS Enabled                  True

Enforcing Mode                Enforcing

Plugin Name                  home_tmp_bad_labels

Host Name                    india

Platform                      Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug

                              4 14:08:11 EDT 2008 i686 i686

Alert Count                  13

First Seen                    Tue 19 Aug 2008 09:28:35 AM IST

Last Seen                    Fri 22 Aug 2008 03:33:03 PM IST

Local ID                      be204866-0293-47e7-a2f5-b4df5fe16093

Line Numbers                  



Raw Audit Messages            



host=india type=AVC msg=audit(1219399383.70:63): avc:  denied  { append } for  pid=3600 comm="nmbd" path="/home/ashesh/.xsession-errors" dev=dm-0 ino=141271 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file



host=india type=SYSCALL msg=audit(1219399383.70:63): arch=40000003 syscall=11 success=yes exit=0 a0=83e69d0 a1=83e6840 a2=83e6d10 a3=0 items=0 ppid=3599 pid=3600 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)

Can you post the full config?

Code:

#======================= Global Settings =====================================



[global]



# ----------------------- Netwrok Related Options -------------------------

#

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH

#

# server string is the equivalent of the NT Description field

#

# netbios name can be used to specify a server name not tied to the hostname

#

# Interfaces lets you configure Samba to use multiple interfaces

# If you have multiple network interfaces then you can list the ones

# you want to listen on (never omit localhost)

#

# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can

# specifiy it as a per share option as well

#

        workgroup = workgroup

        server string = Samba Server Version %v



;        netbios name = MYSERVER



        interfaces = lo eth0

;        hosts allow = 127 192.168.1.



# --------------------------- Logging Options -----------------------------

#

# Log File let you specify where to put logs and how to split them up.

#

# Max Log Size let you specify the max size log files should reach



        # logs split per machine

        log file = /var/log/samba/log.%m

        # max 50KB per log file, then rotate

        max log size = 50



# ----------------------- Standalone Server Options ------------------------

#

# Scurity can be set to user, share(deprecated) or server(deprecated)

#

# Backend to store user information in. New installations should 

# use either tdbsam or ldapsam. smbpasswd is available for backwards 

# compatibility. tdbsam requires no further configuration.



        security = server

        passdb backend = tdbsam





# ----------------------- Domain Members Options ------------------------

#

# Security must be set to domain or ads

#

# Use the realm option only with security = ads

# Specifies the Active Directory realm the host is part of

#

# Backend to store user information in. New installations should 

# use either tdbsam or ldapsam. smbpasswd is available for backwards 

# compatibility. tdbsam requires no further configuration.

#

# Use password server option only with security = server or if you can't

# use the DNS to locate Domain Controllers

# The argument list may include:

#  password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]

# or to auto-locate the domain controller/s

#  password server = *





;        realm = MY_REALM



;        password server = <NT-Server-Name>



# ----------------------- Domain Controller Options ------------------------

#

# Security must be set to user for domain controllers

#

# Backend to store user information in. New installations should 

# use either tdbsam or ldapsam. smbpasswd is available for backwards 

# compatibility. tdbsam requires no further configuration.

#

# Domain Master specifies Samba to be the Domain Master Browser. This

# allows Samba to collate browse lists between subnets. Don't use this

# if you already have a Windows NT domain controller doing this job

#

# Domain Logons let Samba be a domain logon server for Windows workstations. 

#

# Logon Scrpit let yuou specify a script to be run at login time on the client

# You need to provide it in a share called NETLOGON

#

# Logon Path let you specify where user profiles are stored (UNC path)

#

# Various scripts can be used on a domain controller or stand-alone

# machine to add or delete corresponding unix accounts

#



;        domain master = yes 

;        domain logons = yes



        # the login script name depends on the machine name

;        logon script = %m.bat

        # the login script name depends on the unix user used

;        logon script = %u.bat

;        logon path = \\%L\Profiles\%u

        # disables profiles support by specifing an empty path

;        logon path =          



;        add user script = /usr/sbin/useradd "%u" -n -g users

;        add group script = /usr/sbin/groupadd "%g"

;        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"

;        delete user script = /usr/sbin/userdel "%u"

;        delete user from group script = /usr/sbin/userdel "%u" "%g"

;        delete group script = /usr/sbin/groupdel "%g"





# ----------------------- Browser Control Options ----------------------------

#

# set local master to no if you don't want Samba to become a master

# browser on your network. Otherwise the normal election rules apply

#

# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable

#

# Preferred Master causes Samba to force a local browser election on startup

# and gives it a slightly higher chance of winning the election

;        local master = no

;        os level = 33

;        preferred master = yes



#----------------------------- Name Resolution -------------------------------

# Windows Internet Name Serving Support Section:

# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

#

# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server

#

# - WINS Server: Tells the NMBD components of Samba to be a WINS Client

#

# - WINS Proxy: Tells Samba to answer name resolution queries on

#  behalf of a non WINS capable client, for this to work there must be

#  at least one        WINS Server on the network. The default is NO.

#

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

# via DNS nslookups.



;        wins support = yes

;        wins server = w.x.y.z

;        wins proxy = yes



;        dns proxy = yes



# --------------------------- Printing Options -----------------------------

#

# Load Printers let you load automatically the list of printers rather

# than setting them up individually

#

# Cups Options let you pass the cups libs custom options, setting it to raw

# for example will let you use drivers on your Windows clients

#

# Printcap Name let you specify an alternative printcap file

#

# You can choose a non default printing system using the Printing option



;        load printers = yes

        cups options = raw



;        printcap name = /etc/printcap

        #obtain list of printers automatically on SystemV

;        printcap name = lpstat

;        printing = cups



# --------------------------- Filesystem Options ---------------------------

#

# The following options can be uncommented if the filesystem supports

# Extended Attributes and they are enabled (usually by the mount option

# user_xattr). Thess options will let the admin store the DOS attributes

# in an EA and make samba not mess with the permission bits.

#

# Note: these options can also be set just per share, setting them in global

# makes them the default for all shares



;        map archive = no

;        map hidden = no

;        map read only = no

;        map system = no

;        encrypt passwords = yes

;        guest ok = no

;        guest account = nobody

        password server = india

;        store dos attributes = yes





#============================ Share Definitions ==============================



[homes]

        comment = Home Directories

        browseable = no

        writable = yes

;        valid users = %S

;        valid users = MYDOMAIN\%S



[printers]

        comment = All Printers

        path = /var/spool/samba

        browseable = no

;        guest ok = no

;        writable = No

        printable = yes



# Un-comment the following and create the netlogon directory for Domain Logons

;        [netlogon]

;        comment = Network Logon Service

;        path = /var/lib/samba/netlogon

;        guest ok = yes

;        writable = no

;        share modes = no





# Un-comment the following to provide a specific roving profile share

# the default is to use the user's home directory

;        [Profiles]

;        path = /var/lib/samba/profiles

;        browseable = no

;        guest ok = yes





# A publicly accessible directory, but read only, except for people in

# the "staff" group

;        [public]

;        comment = Public Stuff

;        path = /home/samba

;        public = yes

;        writable = yes

;        printable = no

;        write list = +staff



[ftp]

        path = /samba/ftp

        writeable = yes

;        browseable = yes

        guest ok = yes

Yet another AVC Denial:

Code:



Summary:



SELinux is preventing smbd (smbd_t) "signal" to <Unknown> (nmbd_t).



Detailed Description:



SELinux denied access requested by smbd. It is not expected that this access is

required by smbd and this access may signal an intrusion attempt. It is also

possible that the specific version or configuration of the application is

causing it to require additional access.



Allowing Access:



You can generate a local policy module to allow this access - see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.



Additional Information:



Source Context                system_u:system_r:smbd_t:s0

Target Context                system_u:system_r:nmbd_t:s0

Target Objects                None [ process ]

Source                        smbd

Source Path                  /usr/sbin/smbd

Port                          <Unknown>

Host                          india

Source RPM Packages          samba-3.2.0-2.17.fc9

Target RPM Packages          

Policy RPM                    selinux-policy-3.3.1-84.fc9

Selinux Enabled              True

Policy Type                  targeted

MLS Enabled                  True

Enforcing Mode                Enforcing

Plugin Name                  catchall

Host Name                    india

Platform                      Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug

                              4 14:08:11 EDT 2008 i686 i686

Alert Count                  4

First Seen                    Sat 23 Aug 2008 10:12:28 PM IST

Last Seen                    Sat 23 Aug 2008 10:12:41 PM IST

Local ID                      85e3e46d-b888-49eb-b2b9-30fa154a548c

Line Numbers                  



Raw Audit Messages            



host=india type=AVC msg=audit(1219509761.32:161): avc:  denied  { signal } for  pid=2423 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=process



host=india type=SYSCALL msg=audit(1219509761.32:161): arch=40000003 syscall=37 success=no exit=-13 a0=96f a1=a a2=b7f3cff4 a3=0 items=0 ppid=1 pid=2423 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

Can anyone please clarify?

Quote:

Originally Posted by algogeek (Post 3272435)

Can anyone please clarify?

Exactly what is says under "Allowing Access":
- You can generate a local policy module to allow this access
- You can disable SELinux which is not recommended.
* And you should file a bug report against this package.

For allowing acces you just follow what's outlined for generating a local policy module.
Just try it. If it doesn't work tell us what you did and what happened.