Bug 811103
Summary: | SELinux is preventing /usr/sbin/smbd from 'name_connect' accesses on the tcp_socket . Installed 'samba' package from redhat packages, and started via: # systemctl enable smb.service # systemctl start smb.service | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stef Walter <stefw> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl, ssorce |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:bd367607d709e62d81ce2156ed578a9a9e060c218c73384e20dbf222e0cc9169 | ||
Fixed In Version: | selinux-policy-3.10.0-114.fc17 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-04-18 22:50:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stef Walter
2012-04-10 06:49:28 UTC
Basically the sealert tells you what to do. Why do you think this is a bug? First of all none of those options represent "what I want to do". I was trying to create a file share using smdb, not "login using a sssd server" or "allow system to run with NIS". But that's really not the point. The point is: When people install a samba server (something which I'm working on making work "out of the box" on RHEL), SELinux shouldn't require them to enter a command to unbreak their system. Is there a way we can make this work by default? So that the smbd process has the SELinux permissions it needs to do what it's supposed to do. Obviously if I'm completely missing the point, then let me know. But if this message comes up by default when a system administrator installs samba, then the SELinux policy is broken :S This avc shows smbd attempting to connect to an ldap port. Does the default samba configuration require that samba use ldap? We want apps to use sssd if they are using ldap for user management. If they use pam_ldap then we need to turn this on. This doesn't have to do with pam_ldap. I joined an Active Directory domain. In RHEL 7, a big goal is to have RHEL + Active Directory work out of the box by default. I'm working on this now. Having samba work with Active Directory out of the box by default is a goal. Active Directory is kerberos and ldap based so I would assume smbd needs to connect to those services. Do you need me to research on what exactly samba is connecting to? Nope an explanation like this allows us to write better policy. Now we allow smbd_t and winbind_t, smbmount_t to connect to ldap, but we do not allow nmbd_t, samba_net_t, smbcontrol_t, swat_t Should all of these be allowed? samba_net_t for sure, I think we can try to leave the other ones off for now. Ok, I added it also for samba_net_t. selinux-policy-3.10.0-114.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-114.fc17 Package selinux-policy-3.10.0-114.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-114.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-5870/selinux-policy-3.10.0-114.fc17 then log in and leave karma (feedback). Thanks guys. selinux-policy-3.10.0-114.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |