Doc Text:
|
As per the bug, the Active directory integration of samba and gluster will fail and you will see the AVC denial's for nmb,winbind and smbd processes.
In order to rectify the problem please use the workaround mentioned below.
Step 1:
# cat bz1240198.te
policy_module(bz1240198,1.1)
require {
type nmbd_t;
type smbd_t;
type winbind_var_run_t;
type smbd_var_run_t;
type winbind_t;
type nmbd_var_run_t;
}
manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
files_pid_filetrans(nmbd_t, nmbd_var_run_t, { sock_file })
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file })
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, { sock_file file })
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
allow nmbd_t nmbd_var_run_t:sock_file { create unlink };
allow nmbd_t smbd_var_run_t:file { write read lock create unlink open };
allow nmbd_t smbd_var_run_t:sock_file { create unlink };
Step 2:
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted bz1240198 module
/usr/bin/checkmodule: loading policy configuration from tmp/bz1240198.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/bz1240198.mod
Creating targeted bz1240198.pp policy package
rm tmp/bz1240198.mod tmp/bz1240198.mod.fc
Step 3:
# semodule -i bz1240198.pp
|