-   Linux - Server (
-   -   samba pdc selinux problem "rename" %m.log (

WorldIsNotFair 07-22-2008 04:01 AM

samba pdc selinux problem "rename" %m.log
OS = RHEL 5.1
Samba v3.0.25b-0.el5.4

Every time user logout / login, this selinux warning happen.

SELinux troubleshooter summary

selinux is preventing samba (/usr/sbin/smbd) "rename" win2003.log (samba_log_t)


workgroup = HeinzCORP
server string = Samba PDC Version %v
netbios name = Server120
encrypt passwords = yes
log file = /var/log/samba/%m.log <-- problem ?
max log size = 50
passwd program = /usr/bin/passwd %u
passwd chat = *NEW*UNIX*PASSWORD* %n\n *RETYPE*New*UNIX*Password* %n\n
log level = 2
unix password sync = yes
logon script = %U.bat
logon path = \\%L\profiles\%a\%U
logon drive = N:
logon home = \\%L\%U\Win-profile
domain logons = yes
os level = 65
prefered master = yes
domain master = yes
wins support = yes
hosts allow = 192.168.0.

This is getsebool grep samba

samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> on
samba_share_nfs --> off
use_samba_home_dirs --> off

So brotha, please give me a hand on this ...
How is the practice in the real world ?

unSpawn 07-23-2008 01:49 PM


Originally Posted by WorldIsNotFair (Post 3222343)
selinux is preventing samba (/usr/sbin/smbd) "rename" win2003.log (samba_log_t)

Below that message is a line with the original access vector cache (AVC) warning from /var/log/audit/audit.log (or /var/log/messages if you don't run Auditd). If you echo that line and pipe it through 'audit2allow' you should get a rule something like "allow smbd_t samba_log_t:file rename;". This rule you can add to your local policy module. If that does not work then you can disable SELinux protection for Samba by setting 'setsebool -P smbd_disable_trans 1' and restart Samba. Again, this disables SELinux protection for Samba, and given the fact Samba doesn't have a spotless past with respect to vulnerabilities you should at the same time beef up your auditing and security and submit a ticket to Red Hats bug tracker.

WorldIsNotFair 07-23-2008 09:15 PM

Thanks bro unSpawn,

I think disable samba from selinux is the best now ( I get another denial further now ..)

I should send Redhat inc a ticket bout this.

Really appreciate the comment bro ...

All times are GMT -5. The time now is 06:48 PM.