Bug 725800 - maybe a boolean to help samba get in touch with nscd instead of custom module redition
Summary: maybe a boolean to help samba get in touch with nscd instead of custom module...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-26 15:31 UTC by lejeczek
Modified: 2011-10-20 08:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-20 08:49:43 UTC
Type: ---


Attachments (Terms of Use)

Description lejeczek 2011-07-26 15:31:19 UTC
Description of problem:

SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/nscd.

*****  Plugin samba_share (75.5 confidence) suggests  ************************

If you want to allow bash to have getattr access on the nscd file
Then you need to change the label on '/etc/rc.d/init.d/nscd'
Do
# semanage fcontext -a -t samba_share_t '/etc/rc.d/init.d/nscd'
# restorecon  -v '/etc/rc.d/init.d/nscd'

*****  Plugin catchall_boolean (12.2 confidence) suggests  *******************

If you want to allow samba to share any file/directory read only.
Then you must tell SELinux about this by enabling the 'samba_export_all_ro' boolean.
Do
setsebool -P samba_export_all_ro 1

*****  Plugin catchall_boolean (12.2 confidence) suggests  *******************

If you want to allow samba to share any file/directory read/write.
Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.
Do
setsebool -P samba_export_all_rw 1

*****  Plugin catchall (1.97 confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the nscd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2011-07-26 19:04:01 UTC
Please attach the actual avc messages.


Note You need to log in before you can comment on or make changes to this bug.