Description of problem: ******************************************** With SELINUX enabled in RHEL6.6 , smb service is not getting started with 3.0.4 samba rpms installed. To test RHGS 3.1 , Installed RHEL6.6 and gluster upstream nightly build. On top of that installed 3.0.4 samba build just to verify the dependencies and service status, service smb start fails with following error: Apr 2 03:17:18 dhcp159-154 smbd[17741]: [2015/04/02 03:17:18.068735, 0] ../source3/profile/profile.c:155(profile_setup) Apr 2 03:17:18 dhcp159-154 smbd[17741]: Can't attach to IPC area. Error was Permission denied Apr 2 03:17:18 dhcp159-154 smbd[17741]: [2015/04/02 03:17:18.070848, 0] ../source3/smbd/server.c:1254(main) Apr 2 03:17:18 dhcp159-154 smbd[17741]: ERROR: failed to setup profiling service smb start Starting SMB services: [FAILED] When disabled SELINUX it worked fine. Need to add changes required for smb service to work with selinux enabled. Version-Release number of selected component (if applicable): samba-4.1.17-4.el6rhs.x86_64 How reproducible: Always Steps to Reproduce: 1. Install RHEL 6.6 ISO (selinux enabled) 2. Install upstream gluster nightly build. 3. Install 3.0.4 samba builds 4. Start smb service Actual results: Service smb start failed. Expected results: smb service should start successfully. Additional info: With SELINUX disabled it starts successfully.
When changed selinux mode to permissive , the smb service started successfully. # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted ***************************************************** # service smb start Starting SMB services: [FAILED] ***************************************************** # getenforce Enforcing # setenforce 0 # getenforce Permissive # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # service smb start Starting SMB services: [ OK ]
AVC from /var/log/audit/audit.log : type=AVC msg=audit(1427959038.067:105): avc: denied { read write } for pid=17741 comm="smbd" path=2F535953563037303231393939202864656C6574656429 dev=tmpfs ino=0 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file output of :ausearch -m avc --start recent type=SYSCALL msg=audit(1428488962.326:6275): arch=c000003e syscall=30 success=no exit=-13 a0=0 a1=0 a2=0 a3=7fcdbe4b1e60 items=0 ppid=16516 pid=16517 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1037 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1428488962.326:6275): avc: denied { read write } for pid=16517 comm="smbd" path=2F535953563037303231393939202864656C6574656429 dev=tmpfs ino=0 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
(In reply to surabhi from comment #4) > AVC from /var/log/audit/audit.log : > Surabhi, I did a quick debugging around this issue and found out a possible solution that you could make use of it, to easily work-around this issue. So until you get the proper fix from the developers or hear from them, please try setting the following boolean and see if you are able to start the smb process and move forward: ##### # setsebool -P samba_export_all_rw 1 ##### If you are able to start the smb service, you should avoid changing the SELinux mode back to Permissive for your rest of your Samba testing until you hit the next SELinux issue! See my test results below: ---------- [root@dhcp42-72 ]# /etc/init.d/smb start Starting SMB services: [FAILED] [root@dhcp42-72 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@dhcp42-72 ~]# setsebool -P samba_export_all_rw 1 [root@dhcp42-72 ~]# /etc/init.d/smb status smbd is stopped [root@dhcp42-72 ~]# /etc/init.d/smb start Starting SMB services: [ OK ] [root@dhcp42-72 ~]# /etc/init.d/smb status smbd (pid 3196) is running... ---------- Please confirm with your test results.
---- type=SYSCALL msg=audit(04/22/2015 17:03:56.388:2286) : arch=x86_64 syscall=shmat success=no exit=-13(Permission denied) a0=0x18003 a1=0x0 a2=0x0 a3=0x7f87adabf770 items=0 ppid=18755 pid=18756 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=148 comm=smbd exe=/usr/sbin/smbd subj=unconfined_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(04/22/2015 17:03:56.388:2286) : avc: denied { read write } for pid=18756 comm=smbd path=/SYSV07021999 (deleted) dev=tmpfs ino=98307 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file ---- The /SYSV07021999 is mislabeled. Can anybody tell me which process created that file?
# ipcs ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x00000000 0 root 644 80 2 0x00000000 32769 root 644 16384 2 0x00000000 65538 root 644 280 2 0x07021999 98307 root 644 1704 0 ------ Semaphore Arrays -------- key semid owner perms nsems 0x00000000 0 root 600 1 0x00000000 32769 root 600 1 0x000000a7 131074 root 600 1 ------ Message Queues -------- key msqid owner perms used-bytes messages #
From strace output: 25503 shmget(0x7021999, 0, 0) = 98307 25503 shmat(98307, 0, 0) = -1 EACCES (Permission denied)
Prasanth, I tried the option that you provided setsebool -P samba_export_all_rw 1 and smb service gets started. # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted setsebool -P samba_export_all_rw 1 #service smb start Starting SMB services: [ OK ]
We need to find out who creates tmpfs_t in this case. Are we able to reproduce it? Is there a chance there is SAMBA service running by hand?
Paul, something tells me we had a similar issue for another service. The point is we have allow smbd_t tmpfs_t:file { read write }; but I am not able to get it working with smbd_tmpfs_t.
After smb service start , not able to mount volume in enforcing mode with boolean option used as workaround : setsebool -P samba_export_all_rw 1 Will raise another BZ for this issue.
(In reply to Miroslav Grepl from comment #14) > Paul, > something tells me we had a similar issue for another service. The point is > we have > > allow smbd_t tmpfs_t:file { read write }; > > but I am not able to get it working with smbd_tmpfs_t. I vaguely remember something similar to this having to do with ssh and interactions with kerberos/kernel-keyring, but then again my mind may be playing tricks on me. The unconfined_u user in the SELinux label does make me a bit suspicious ...
Well we have it for both scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file which is OK because the service is running using a service script instead of run_init on RHEL6. Anyway I can try to add smbd_tmpfs_t to see if it fixes the issue. We have it in RHEL7/Fedora.
Okay, hopefully that should do the trick.
SMB service starts successfully after updating to latest selinux policy selinux-policy-3.7.19-271.el6. Install RHEL6.7 Install gluster rpms for rhgs3.1 Install samba rpms for rhgs3.1 Start smb service smb service starts successfully. Moving the BZ to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html