Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Rep:
Samba and SELinux issue on a Fedora 9 box.
Hi friends,
I have a server on my network running samba and I want this to share /samba/ftp/ on my network as a read write folder.
The server is running Fedora 9 with SELinux in enforcing mode. I've allowed all Samba ports through the firewall and changed the permissions of the directories by: chmod o+rw /samba and chmod o+rw /samba/ftp/
However, when I'm trying to connect to this folder through my network by doing ftp://<server-ip> the page shows that it has failed to connect. Also, from Windows Vista machines on my network as well, the connection fails.
Other linux systems on the network have the same problems, none can connect. However, from the server, doing ftp://<server_name> shows a directory index which is empty but should not be since I did manually put some files in the folder to ensure that the setup was ok.
I've checked the permissions of the folder by writing to it as different non root users and it's ok. I've also labeled the folders to be shared as samba_share_t.
Connecting from all the machines on the network fails, while connecting from the server itself using the server name works - but only through firefox. Using the ip address of the server does not work.
Here's my smb.conf:
Code:
workgroup = WORKGROUP
server string = Samba Server Version %v
; netbios name = MYSERVER
interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13. 192.168.1.
...
...
...
[ftp]
path = /samba/ftp
writeable = yes
; browseable = yes
guest ok = yes
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Original Poster
Rep:
My log.smbd file shows:
Quote:
[2008/08/22 15:15:21, 0] printing/print_cups.c:cups_connect(68)
Unable to connect to CUPS server localhost:631 - Connection refused
[2008/08/22 15:15:21, 0] printing/print_cups.c:cups_connect(68)
Unable to connect to CUPS server localhost:631 - Connection refused
And here's log.nmbd:
Quote:
[2008/08/22 15:16:44, 0] nmbd/nmbd_incomingrequests.crocess_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.crocess_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name ASHESH-PC<20> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.crocess_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.crocess_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name ASHESH-PC<00> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.crocess_name_refresh_request(172)
Error - should be sent to WINS server
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.crocess_name_refresh_request(171)
process_name_refresh_request: unicast name registration request received for name WORKGROUP<00> from IP 192.168.1.10 on subnet UNICAST_SUBNET.
[2008/08/22 15:18:44, 0] nmbd/nmbd_incomingrequests.crocess_name_refresh_request(172)
Error - should be sent to WINS server
But I don't want to run CUPS or anything. I just want a simple ftp server to which my network users can have file access.
But this does not explain why I'm unable to access the folder. There are no messages about permissions being denied to samba for the folders it wants access to. I tried with SELinux off by setenforce 0 but it still didn't work.
Can anyone please tell me whats going on here?
PS - Now my windows machines can see the server on the network, but I'm getting SELinux alerts:
Code:
Summary:
SELinux is preventing smbd (smbd_t) "signal" to <Unknown> (unconfined_t).
Detailed Description:
SELinux denied access requested by smbd. It is not expected that this access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:smbd_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source smbd
Source Path /usr/sbin/smbd
Port <Unknown>
Host india
Source RPM Packages samba-3.2.0-2.17.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-84.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name india
Platform Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
4 14:08:11 EDT 2008 i686 i686
Alert Count 8
First Seen Fri 22 Aug 2008 03:25:48 PM IST
Last Seen Fri 22 Aug 2008 03:26:38 PM IST
Local ID 9a90ecee-d593-43bc-b417-d37f331483d3
Line Numbers
Raw Audit Messages
host=india type=AVC msg=audit(1219398998.563:53): avc: denied { signal } for pid=3338 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=india type=SYSCALL msg=audit(1219398998.563:53): arch=40000003 syscall=37 success=no exit=-13 a0=d0e a1=a a2=b7f77ff4 a3=0 items=0 ppid=1 pid=3338 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
Making changes to the samba configuration via the GUI also triggers these AVC denials:
Code:
Summary:
SELinux is preventing the nmbd from using potentially mislabeled files
(/home/ashesh/.xsession-errors).
Detailed Description:
SELinux has denied nmbd access to potentially mislabeled file(s)
(/home/ashesh/.xsession-errors). This means that SELinux will not allow nmbd to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.
Allowing Access:
If you want nmbd to access this files, you need to relabel them using restorecon
-v '/home/ashesh/.xsession-errors'. You might want to relabel the entire
directory using restorecon -R -v '/home/ashesh'.
Additional Information:
Source Context unconfined_u:system_r:nmbd_t:s0
Target Context system_u:object_r:user_home_t:s0
Target Objects /home/ashesh/.xsession-errors [ file ]
Source nmbd
Source Path /usr/sbin/nmbd
Port <Unknown>
Host india
Source RPM Packages samba-3.2.0-2.17.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-84.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name india
Platform Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
4 14:08:11 EDT 2008 i686 i686
Alert Count 13
First Seen Tue 19 Aug 2008 09:28:35 AM IST
Last Seen Fri 22 Aug 2008 03:33:03 PM IST
Local ID be204866-0293-47e7-a2f5-b4df5fe16093
Line Numbers
Raw Audit Messages
host=india type=AVC msg=audit(1219399383.70:63): avc: denied { append } for pid=3600 comm="nmbd" path="/home/ashesh/.xsession-errors" dev=dm-0 ino=141271 scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
host=india type=SYSCALL msg=audit(1219399383.70:63): arch=40000003 syscall=11 success=yes exit=0 a0=83e69d0 a1=83e6840 a2=83e6d10 a3=0 items=0 ppid=3599 pid=3600 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nmbd" exe="/usr/sbin/nmbd" subj=unconfined_u:system_r:nmbd_t:s0 key=(null)
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Original Poster
Rep:
Code:
#======================= Global Settings =====================================
[global]
# ----------------------- Netwrok Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
workgroup = workgroup
server string = Samba Server Version %v
; netbios name = MYSERVER
interfaces = lo eth0
; hosts allow = 127 192.168.1.
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
security = server
passdb backend = tdbsam
# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; realm = MY_REALM
; password server = <NT-Server-Name>
# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
; domain master = yes
; domain logons = yes
# the login script name depends on the machine name
; logon script = %m.bat
# the login script name depends on the unix user used
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# disables profiles support by specifing an empty path
; logon path =
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; local master = no
; os level = 33
; preferred master = yes
#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option
; load printers = yes
cups options = raw
; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups
# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; encrypt passwords = yes
; guest ok = no
; guest account = nobody
password server = india
; store dos attributes = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
; guest ok = no
; writable = No
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff
[ftp]
path = /samba/ftp
writeable = yes
; browseable = yes
guest ok = yes
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Original Poster
Rep:
Yet another AVC Denial:
Code:
Summary:
SELinux is preventing smbd (smbd_t) "signal" to <Unknown> (nmbd_t).
Detailed Description:
SELinux denied access requested by smbd. It is not expected that this access is
required by smbd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:smbd_t:s0
Target Context system_u:system_r:nmbd_t:s0
Target Objects None [ process ]
Source smbd
Source Path /usr/sbin/smbd
Port <Unknown>
Host india
Source RPM Packages samba-3.2.0-2.17.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-84.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name india
Platform Linux india 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
4 14:08:11 EDT 2008 i686 i686
Alert Count 4
First Seen Sat 23 Aug 2008 10:12:28 PM IST
Last Seen Sat 23 Aug 2008 10:12:41 PM IST
Local ID 85e3e46d-b888-49eb-b2b9-30fa154a548c
Line Numbers
Raw Audit Messages
host=india type=AVC msg=audit(1219509761.32:161): avc: denied { signal } for pid=2423 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=process
host=india type=SYSCALL msg=audit(1219509761.32:161): arch=40000003 syscall=37 success=no exit=-13 a0=96f a1=a a2=b7f3cff4 a3=0 items=0 ppid=1 pid=2423 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
Exactly what is says under "Allowing Access":
- You can generate a local policy module to allow this access
- You can disable SELinux which is not recommended.
* And you should file a bug report against this package.
For allowing acces you just follow what's outlined for generating a local policy module.
Just try it. If it doesn't work tell us what you did and what happened.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.