This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 498414 - "smb" service fails to start by throwing error "error loading shared libraries .. in SELinux Environment"
"smb" service fails to start by throwing error "error loading shared librarie...
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba (Show other bugs)
5.2
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Guenther Deschner
qe-baseos-daemons
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-30 08:03 EDT by tomy versatti
Modified: 2010-05-17 10:46 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-17 10:46:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description tomy versatti 2009-04-30 08:03:51 EDT
Description of problem:
smb" service fails to start by throwing following error

=======
Starting SMB services: smbd: error while loading shared libraries: libldap-2.3.so.0: cannot open shared object file: Permission denied
                                                           [FAILED]
Starting NMB services: nmbd: error while loading shared libraries: libgssapi_krb5.so.2: cannot open shared object file: Permission denied
                                                           [FAILED]
=======

Version-Release number of selected component (if applicable):
(Linux)(fivestar) ~{16} uname -a
Linux fivestar 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:15 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
(Linux)(fivestar) ~{17} rpm -qa | grep samba
samba-client-3.0.28-0.el5.8
samba-3.0.28-0.el5.8
samba-common-3.0.28-0.el5.8



How reproducible:
Enable the SELinux,
(Linux)(fivestar) ~{19} sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted


Steps to Reproduce:
1. start service by /etc/init.d/smb start
  
Actual results:
Starting SMB services: smbd: error while loading shared libraries: libldap-2.3.so.0: cannot open shared object file: Permission denied
                                                           [FAILED]
Starting NMB services: nmbd: error while loading shared libraries: libgssapi_krb5.so.2: cannot open shared object file: Permission denied
                                                           [FAILED]

Expected results:
Starting SMB services: smbd:                                                            [OK]
Starting NMB services: nmbd:                                                         [OK]

Additional info: 
snip from log
============
audit(1241091969.714:59): avc:  denied  { read } for  pid=8201 comm="smbd" name="libldap-2.3.so.0.2.15" dev=dm-0 ino=11597078 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1241091969.938:60): avc:  denied  { read } for  pid=8204 comm="nmbd" name="libgssapi_krb5.so.2.2" dev=dm-0 ino=11597059 scontext=root:system_r:nmbd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
============
ls -lZ output:
(Linux)(fivestar) ~{20} ls -lZ /usr/lib/libldap-2.3.so.0.2.15
-rwxr-xr-x  root root system_u:object_r:lib_t          /usr/lib/libldap-2.3.so.0.2.15*
Comment 1 Simo Sorce 2009-04-30 09:13:02 EDT
I wonder if your files are labeled correctly.
CC'ing Dan.
Comment 2 tomy versatti 2009-04-30 09:50:17 EDT
Hey Simo,

yes previously i had faced same issue, './autorelabel' was not suffice.
where even my 'restorecon' was not working so i did used 'chcon' and then restored lib_t from file_t for /lib and /lib64 .
but I am able to access many diff lib for e.g ping was not working but after restoring it went to work.
Comment 3 Daniel Walsh 2009-04-30 09:52:19 EDT
Just run fixfiles restore as root, which is equivalent of /.autorelabel

This should fix your labeling problem.
Comment 4 tomy versatti 2009-05-01 06:00:39 EDT
hi Daniel,

one thing noticed very curiously :D ,
whenever i do accept to enable firewall and SELinux at the time of fresh install then everything works cool.
But in second case suppose i say no to firewall and SELinux (i.e disable it) it makes me panic, then only /.autorelabel works but now in this case some of the libraries are not working.

I tried with fixfiles restore,

(Linux)(fivestar) ~{30} fixfiles restore
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 18 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 19 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 20 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 23 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 39 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 40 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 41 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 42 has invalid context user_u:object_r:user_mozilla_home_t:s0
Exiting after 10 errors.

when i had a look in the mentioned file,
=====
#
#
# User-specific file contexts, generated via /usr/sbin/genhomedircon
# use semanage command to manage system users in order to change the file_context
#
#


#
# Home Context for user user_u
#

/home/[^/]*/.+ user_u:object_r:user_home_t:s0
/home/[^/]*/.*/plugins/nprhapengine\.so.*  --  user_u:object_r:textrel_shlib_t:s0
/home/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0
/home/[^/]*/((www)|(web)|(public_html))(/.+)?  user_u:object_r:httpd_user_content_t:s0
/home/[^/]*/\.galeon(/.*)?    user_u:object_r:user_mozilla_home_t:s0
/home/[^/]*/\.mozilla(/.*)?   user_u:object_r:user_mozilla_home_t:s0
/home/[^/]*/\.phoenix(/.*)?   user_u:object_r:user_mozilla_home_t:s0
/home/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* --  user_u:object_r:textrel_shlib_t:s0
/home/[^/]*/\.netscape(/.*)?  user_u:object_r:user_mozilla_home_t:s0
/home/[^/]* -d user_u:object_r:user_home_dir_t:s0
/home/lost\+found/.* <<none>>
/home  -d system_u:object_r:home_root_t:s0
/home/\.journal <<none>>
/home/lost\+found  -d  system_u:object_r:lost_found_t:s0


#
# Home Context for user user_u
#

/home/mybuild/[^/]*/.+ user_u:object_r:user_home_t:s0
/home/mybuild/[^/]*/.*/plugins/nprhapengine\.so.* --  user_u:object_r:textrel_shlib_t:s0
/home/mybuild/[^/]*/.*/plugins/libflashplayer\.so.* --  user_u:object_r:textrel_shlib_t:s0
/home/mybuild/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0
/home/mybuild/[^/]*/\.java(/.*)? user_u:object_r:user_mozilla_home_t:s0
/home/mybuild/[^/]*/\.galeon(/.*)? user_u:object_r:user_mozilla_home_t:s0
/home/mybuild/[^/]*/\.mozilla(/.*)? user_u:object_r:user_mozilla_home_t:s0
/home/mybuild/[^/]*/\.phoenix(/.*)? user_u:object_r:user_mozilla_home_t:s0
/home/mybuild/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.*        --   user_u:object_r:textrel_shlib_t:s0
/home/mybuild/[^/]*/\.netscape(/.*)? user_u:object_r:user_mozilla_home_t:s0
/home/mybuild/[^/]* -d user_u:object_r:user_home_dir_t:s0
/home/mybuild/lost\+found/.*  <<none>>
/home/mybuild -d system_u:object_r:home_root_t:s0
/home/mybuild/\.journal <<none>>
/home/mybuild/lost\+found     -d system_u:object_r:lost_found_t:s0


#
# Home Context for user user_u
#

/oracle/[^/]*/.+ user_u:object_r:user_home_t:s0
/oracle/[^/]*/.*/plugins/nprhapengine\.so.* -- user_u:object_r:textrel_shlib_t:s0
/oracle/[^/]*/.*/plugins/libflashplayer\.so.*  -- user_u:object_r:textrel_shlib_t:s0
/oracle/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0
/oracle/[^/]*/\.java(/.*)?    user_u:object_r:user_mozilla_home_t:s0
/oracle/[^/]*/\.galeon(/.*)?  user_u:object_r:user_mozilla_home_t:s0
/oracle/[^/]*/\.mozilla(/.*)? user_u:object_r:user_mozilla_home_t:s0
/oracle/[^/]*/\.phoenix(/.*)? user_u:object_r:user_mozilla_home_t:s0
/oracle/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* --   user_u:object_r:textrel_shlib_t:s0
/oracle/[^/]*/\.netscape(/.*)?  user_u:object_r:user_mozilla_home_t:s0
/oracle/[^/]* -d user_u:object_r:user_home_dir_t:s0
/oracle/lost\+found/.* <<none>>
/oracle  -d system_u:object_r:home_root_t:s0
/oracle/\.journal  <<none>>
/oracle/lost\+found -d system_u:object_r:lost_found_t:s0



#
# Home Context for user root
#

/root/.+ root:object_r:user_home_t:s0
/root/.*/plugins/nprhapengine\.so.* -- root:object_r:textrel_shlib_t:s0
/root/.*/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0
/root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_user_content_t:s0
/root/\.java(/.*)? root:object_r:user_mozilla_home_t:s0
/root/\.galeon(/.*)? root:object_r:user_mozilla_home_t:s0
/root/\.mozilla(/.*)?  root:object_r:user_mozilla_home_t:s0
/root/\.phoenix(/.*)?  root:object_r:user_mozilla_home_t:s0
/root/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0
/root/\.netscape(/.*)? root:object_r:user_mozilla_home_t:s0
/root  -d root:object_r:user_home_dir_t:s0
=====
Comment 5 Daniel Walsh 2009-05-01 08:29:56 EDT
Could you install the RHEL5.4 selinux policy on this machine and see if this fixes your problem.

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch

Note You need to log in before you can comment on or make changes to this bug.