+++ This bug was initially created as a clone of Bug #741630 +++ I just did a minimal Fedora 16 install using Beta RC3 i686 DVD, configured the network (without NM) and installed Samba (3.6.0-72.fc16). Here's the service status: # systemctl status nmb.service nmb.service - Samba NMB Daemon Loaded: loaded (/lib/systemd/system/nmb.service; enabled) Active: failed since Tue, 27 Sep 2011 07:17:51 -0300; 19s ago Process: 1580 ExecStart=/usr/sbin/nmbd $NMBDOPTIONS (code=exited, status=0/SUCCESS) Main PID: 1581 (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/nmb.service And it continues at failed state no matter how many times I try to start it. The smb.service runs fine, but without nmb.service, other machines are unable to see the Samba server. Maybe it's a bug 486231 duplicate. --- Additional comment from marcosfrm on 2011-09-27 14:24:10 EDT --- # cat /var/log/samba/log.nmbd [2011/09/27 12:10:21, 0] nmbd/nmbd.c:860(main) nmbd version 3.6.0-72.fc16 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 [2011/09/27 12:10:21, 0] lib/util_sock.c:1322(create_pipe_sock) error creating socket directory /var/nmbd: Permissão negada [2011/09/27 12:10:21, 0] nmbd/nmbd_packets.c:48(nmbd_init_packet_server) ERROR: nb_packet_server_create failed: NT_STATUS_ACCESS_DENIED # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1317136221.482:24): avc: denied { write } for pid=910 comm="nmbd" name="var" dev=sda2 ino=261633 scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir --- Additional comment from marcosfrm on 2011-09-27 14:34:09 EDT --- https://bugzilla.samba.org/show_bug.cgi?id=8230 http://gitweb.samba.org/?p=samba.git;a=commit;h=a10029b854a7bfb536b9ed1cd0c4383f9ff8b3c0 related? --- Additional comment from ssorce on 2011-09-27 14:50:52 EDT --- (In reply to comment #2) > https://bugzilla.samba.org/show_bug.cgi?id=8230 > http://gitweb.samba.org/?p=samba.git;a=commit;h=a10029b854a7bfb536b9ed1cd0c4383f9ff8b3c0 > > related? Yep, looks like we should either allow nmbd to create /var/nmbd or precreate it. Adding Dan Walsh in CC so he can tell us what's best/easiest from the SELinux point of view. --- Additional comment from marcosfrm on 2011-09-27 19:52:34 EDT --- Or use the "--with-nmbdsocketdir" configure option I think. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628121 --- Additional comment from dwalsh on 2011-09-28 10:55:46 EDT --- /var/nmbd should be in the spec file. And shouldn't it be in /var/lib/nmbd? Or /var/run/nmbd? Is this a new directory and does nmbd_t need to be able to manage all content within this directory? --- Additional comment from marcosfrm on 2011-09-30 20:18:22 EDT --- For Samba 4 upstream will use /var/run/nmbd by default. http://gitweb.samba.org/?p=samba.git;a=commit;h=edd3e8b03aa0bca85d4a9a62b35471e76a1f9390 With 3.6 --with-nmbdsocketdir=/var/run/nmbd will make SELinux happy, won't it? --- Additional comment from mgrepl on 2011-10-03 04:52:20 EDT --- Yes, this better. Does nmbd_t need to be able to manage all content within this directory? --- Additional comment from marcosfrm on 2011-10-03 07:25:26 EDT --- FWIK the "unexpected" socket is the only thing created there (at least now). It's used by nmbd for some tasks. http://gitweb.samba.org/?p=samba.git;a=commit;h=b2c62d639d7fd565d39a999d500018b290b5279f --- Additional comment from gdeschner on 2011-10-04 06:55:53 EDT --- (In reply to comment #5) > /var/nmbd should be in the spec file. > > And shouldn't it be in /var/lib/nmbd? Or /var/run/nmbd? > > Is this a new directory and does nmbd_t need to be able to manage all content > within this directory? Yes, we will use --with-nmbdsocketdir=/var/run/nmbd and nmbd_t needs to be able to manage all content within this directory. --- Additional comment from updates on 2011-10-04 07:06:48 EDT --- samba-3.6.0-73.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/samba-3.6.0-73.fc16 --- Additional comment from updates on 2011-10-04 16:46:37 EDT --- Package samba-3.6.0-73.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing samba-3.6.0-73.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/samba-3.6.0-73.fc16 then log in and leave karma (feedback). --- Additional comment from me on 2011-10-05 05:57:02 EDT --- samba-3.6.0-73.fc16 doesn't fixed this bug. nmb.service doesn't start. /var/log/messages after systemctl start nmb.service: Oct 5 13:47:53 localhost kernel: [ 1075.030257] type=1400 audit(1317808073.321:141): avc: denied { create } for pid=7983 comm="nmbd" name="unexpected" scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:nmbd_var_run_t:s0 tclass=sock_file Oct 5 13:47:53 localhost systemd[1]: PID 7983 read from file /run/nmbd.pid does not exist. Your service or init script might be broken. Oct 5 13:47:53 localhost systemd[1]: nmb.service: main process exited, code=exited, status=1 Oct 5 13:47:53 localhost systemd[1]: Unit nmb.service entered failed state. # ls -alZ /run/nmb* -rw-r--r--. root root system_u:object_r:nmbd_var_run_t:s0 /run/nmbd.pid /run/nmbd: drwxr-xr-x. root root system_u:object_r:nmbd_var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 ..
Could you test it with http://koji.fedoraproject.org/koji/buildinfo?buildID=266977
Yes, Miroslav. After I've updated selinux-policy (and -targeted) to version 3.10.0-37.fc16, the command 'systemctl start nmb.service' works fine for me. nmbd was started without any user selinux modules.
selinux-policy-3.10.0-38.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/FEDORA-2011-13775
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Thanks!
selinux-policy-3.10.0-38.fc16 solved the problem. Thanks!