Description of problem: smb" service fails to start by throwing following error ======= Starting SMB services: smbd: error while loading shared libraries: libldap-2.3.so.0: cannot open shared object file: Permission denied [FAILED] Starting NMB services: nmbd: error while loading shared libraries: libgssapi_krb5.so.2: cannot open shared object file: Permission denied [FAILED] ======= Version-Release number of selected component (if applicable): (Linux)(fivestar) ~{16} uname -a Linux fivestar 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:15 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux (Linux)(fivestar) ~{17} rpm -qa | grep samba samba-client-3.0.28-0.el5.8 samba-3.0.28-0.el5.8 samba-common-3.0.28-0.el5.8 How reproducible: Enable the SELinux, (Linux)(fivestar) ~{19} sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted Steps to Reproduce: 1. start service by /etc/init.d/smb start Actual results: Starting SMB services: smbd: error while loading shared libraries: libldap-2.3.so.0: cannot open shared object file: Permission denied [FAILED] Starting NMB services: nmbd: error while loading shared libraries: libgssapi_krb5.so.2: cannot open shared object file: Permission denied [FAILED] Expected results: Starting SMB services: smbd: [OK] Starting NMB services: nmbd: [OK] Additional info: snip from log ============ audit(1241091969.714:59): avc: denied { read } for pid=8201 comm="smbd" name="libldap-2.3.so.0.2.15" dev=dm-0 ino=11597078 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1241091969.938:60): avc: denied { read } for pid=8204 comm="nmbd" name="libgssapi_krb5.so.2.2" dev=dm-0 ino=11597059 scontext=root:system_r:nmbd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file ============ ls -lZ output: (Linux)(fivestar) ~{20} ls -lZ /usr/lib/libldap-2.3.so.0.2.15 -rwxr-xr-x root root system_u:object_r:lib_t /usr/lib/libldap-2.3.so.0.2.15*
I wonder if your files are labeled correctly. CC'ing Dan.
Hey Simo, yes previously i had faced same issue, './autorelabel' was not suffice. where even my 'restorecon' was not working so i did used 'chcon' and then restored lib_t from file_t for /lib and /lib64 . but I am able to access many diff lib for e.g ping was not working but after restoring it went to work.
Just run fixfiles restore as root, which is equivalent of /.autorelabel This should fix your labeling problem.
hi Daniel, one thing noticed very curiously :D , whenever i do accept to enable firewall and SELinux at the time of fresh install then everything works cool. But in second case suppose i say no to firewall and SELinux (i.e disable it) it makes me panic, then only /.autorelabel works but now in this case some of the libraries are not working. I tried with fixfiles restore, (Linux)(fivestar) ~{30} fixfiles restore /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 18 has invalid context user_u:object_r:user_mozilla_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 19 has invalid context user_u:object_r:user_mozilla_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 20 has invalid context user_u:object_r:user_mozilla_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21 has invalid context user_u:object_r:user_mozilla_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 23 has invalid context user_u:object_r:user_mozilla_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 39 has invalid context user_u:object_r:user_mozilla_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 40 has invalid context user_u:object_r:user_mozilla_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 41 has invalid context user_u:object_r:user_mozilla_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 42 has invalid context user_u:object_r:user_mozilla_home_t:s0 Exiting after 10 errors. when i had a look in the mentioned file, ===== # # # User-specific file contexts, generated via /usr/sbin/genhomedircon # use semanage command to manage system users in order to change the file_context # # # # Home Context for user user_u # /home/[^/]*/.+ user_u:object_r:user_home_t:s0 /home/[^/]*/.*/plugins/nprhapengine\.so.* -- user_u:object_r:textrel_shlib_t:s0 /home/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /home/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0 /home/[^/]*/\.galeon(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/[^/]*/\.mozilla(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/[^/]*/\.phoenix(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /home/[^/]*/\.netscape(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/[^/]* -d user_u:object_r:user_home_dir_t:s0 /home/lost\+found/.* <<none>> /home -d system_u:object_r:home_root_t:s0 /home/\.journal <<none>> /home/lost\+found -d system_u:object_r:lost_found_t:s0 # # Home Context for user user_u # /home/mybuild/[^/]*/.+ user_u:object_r:user_home_t:s0 /home/mybuild/[^/]*/.*/plugins/nprhapengine\.so.* -- user_u:object_r:textrel_shlib_t:s0 /home/mybuild/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /home/mybuild/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0 /home/mybuild/[^/]*/\.java(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/mybuild/[^/]*/\.galeon(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/mybuild/[^/]*/\.mozilla(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/mybuild/[^/]*/\.phoenix(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/mybuild/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /home/mybuild/[^/]*/\.netscape(/.*)? user_u:object_r:user_mozilla_home_t:s0 /home/mybuild/[^/]* -d user_u:object_r:user_home_dir_t:s0 /home/mybuild/lost\+found/.* <<none>> /home/mybuild -d system_u:object_r:home_root_t:s0 /home/mybuild/\.journal <<none>> /home/mybuild/lost\+found -d system_u:object_r:lost_found_t:s0 # # Home Context for user user_u # /oracle/[^/]*/.+ user_u:object_r:user_home_t:s0 /oracle/[^/]*/.*/plugins/nprhapengine\.so.* -- user_u:object_r:textrel_shlib_t:s0 /oracle/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /oracle/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0 /oracle/[^/]*/\.java(/.*)? user_u:object_r:user_mozilla_home_t:s0 /oracle/[^/]*/\.galeon(/.*)? user_u:object_r:user_mozilla_home_t:s0 /oracle/[^/]*/\.mozilla(/.*)? user_u:object_r:user_mozilla_home_t:s0 /oracle/[^/]*/\.phoenix(/.*)? user_u:object_r:user_mozilla_home_t:s0 /oracle/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /oracle/[^/]*/\.netscape(/.*)? user_u:object_r:user_mozilla_home_t:s0 /oracle/[^/]* -d user_u:object_r:user_home_dir_t:s0 /oracle/lost\+found/.* <<none>> /oracle -d system_u:object_r:home_root_t:s0 /oracle/\.journal <<none>> /oracle/lost\+found -d system_u:object_r:lost_found_t:s0 # # Home Context for user root # /root/.+ root:object_r:user_home_t:s0 /root/.*/plugins/nprhapengine\.so.* -- root:object_r:textrel_shlib_t:s0 /root/.*/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0 /root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_user_content_t:s0 /root/\.java(/.*)? root:object_r:user_mozilla_home_t:s0 /root/\.galeon(/.*)? root:object_r:user_mozilla_home_t:s0 /root/\.mozilla(/.*)? root:object_r:user_mozilla_home_t:s0 /root/\.phoenix(/.*)? root:object_r:user_mozilla_home_t:s0 /root/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0 /root/\.netscape(/.*)? root:object_r:user_mozilla_home_t:s0 /root -d root:object_r:user_home_dir_t:s0 =====
Could you install the RHEL5.4 selinux policy on this machine and see if this fixes your problem. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch