libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.5.0-2.fc17.x86_64 time: ven. 03 août 2012 18:01:49 RET description: :SELinux is preventing /usr/sbin/smbd from 'getattr' accesses on the file /home/roddy/.ICEauthority. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that smbd should be allowed getattr access on the .ICEauthority file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep smbd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:smbd_t:s0 :Target Context unconfined_u:object_r:iceauth_home_t:s0 :Target Objects /home/roddy/.ICEauthority [ file ] :Source smbd :Source Path /usr/sbin/smbd :Port <Inconnu> :Host (removed) :Source RPM Packages samba-3.6.6-91.fc17.1.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-142.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.5.0-2.fc17.x86_64 #1 : SMP Mon Jul 30 14:48:59 UTC 2012 x86_64 x86_64 :Alert Count 2 :First Seen ven. 03 août 2012 17:50:36 RET :Last Seen ven. 03 août 2012 17:50:36 RET :Local ID bc6c03d3-8e97-4562-9f14-0889cb423905 : :Raw Audit Messages :type=AVC msg=audit(1344001836.238:119): avc: denied { getattr } for pid=2642 comm="smbd" path="/home/roddy/.ICEauthority" dev="dm-2" ino=131985 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:iceauth_home_t:s0 tclass=file : : :type=SYSCALL msg=audit(1344001836.238:119): arch=x86_64 syscall=stat success=yes exit=0 a0=7f48bf4ca9e0 a1=7fffc29a3960 a2=7fffc29a3960 a3=0 items=0 ppid=1085 pid=2642 auid=4294967295 uid=0 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) : :Hash: smbd,smbd_t,iceauth_home_t,file,getattr : :audit2allow : :#============= smbd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# samba_export_all_ro, samba_enable_home_dirs, samba_export_all_rw : :allow smbd_t iceauth_home_t:file getattr; : :audit2allow -R : :#============= smbd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# samba_export_all_ro, samba_enable_home_dirs, samba_export_all_rw : :allow smbd_t iceauth_home_t:file getattr; :
If you are sharing your homedir via samba turn on the samba_enable_home_dirs booleans. If you want to allow samba to share users home directories. Then you must tell SELinux about this by enabling the 'samba_enable_home_dirs' boolean.You can read 'iceauth_selinux' man page for more details. Do setsebool -P samba_enable_home_dirs 1
(In reply to comment #1) > If you are sharing your homedir via samba turn on the samba_enable_home_dirs > booleans. > > If you want to allow samba to share users home directories. > Then you must tell SELinux about this by enabling the > 'samba_enable_home_dirs' boolean.You can read 'iceauth_selinux' man page for > more details. > Do > setsebool -P samba_enable_home_dirs 1 Hi Daniel Walsh, Do you mean # setsebool -P samba_enable_home_dirs=1 but nmb.service failed to start at boot # systemctl --all | grep failed nmb.service loaded failed failed Samba NMB Daemon # systemctl status nmb.service nmb.service - Samba NMB Daemon Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled) Active: failed (Result: exit-code) since Tue, 07 Aug 2012 07:36:49 +0400; 2h 55min ago Process: 955 ExecStart=/usr/sbin/nmbd $NMBDOPTIONS (code=exited, status=0/SUCCESS) Main PID: 962 (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/nmb.service Should i open another post? Thank you very much Have a nice day
If you turn this boolean on does the service start?
(In reply to comment #3) > If you turn this boolean on does the service start? samba_export_all_ro is on samba_enable_home_dirs is on samba_export_all_rw is on When I do a systemctl status nmb.service after a fresh boot, it shows that nmb is enabled, but it fails to start. Weird. Please let me know if I missed something. Best regards
Are you seeing any AVC's ausearch -m avc -ts recent After boot.
(In reply to comment #5) > Are you seeing any AVC's > > ausearch -m avc -ts recent > > After boot. # ausearch -m avc -ts recent <no matches> Regards Roddy
If you start the service using systemctl, does it start?
(In reply to comment #7) > If you start the service using systemctl, does it start? Unfortunately not..really weird # systemctl status nmb.service nmb.service - Samba NMB Daemon Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled) Active: failed (Result: exit-code) since Tue, 14 Aug 2012 21:32:16 +0400; 7s ago Process: 4141 ExecStart=/usr/sbin/nmbd $NMBDOPTIONS (code=exited, status=0/SUCCESS) Main PID: 4142 (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/nmb.service but samba is working fine # systemctl status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled) Active: active (running) since Tue, 14 Aug 2012 17:01:18 +0400; 4h 32min ago Process: 1000 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=0/SUCCESS) Main PID: 1027 (smbd) CGroup: name=systemd:/system/smb.service ├ 1027 /usr/sbin/smbd └ 1028 /usr/sbin/smbd
Any avcs in this case? systemctl start nmb.service ausearch -m avc -ts recent
(In reply to comment #9) > Any avcs in this case? > > systemctl start nmb.service > ausearch -m avc -ts recent After starting nmb.service again there is no AVCS # ausearch -m avc -ts recent <no matches> Perhaps this message from /var/log/samba/log.nmbd could help [2012/08/14 23:28:18, 0] nmbd/nmbd.c:861(main) nmbd version 3.6.6-92.fc17 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 [2012/08/14 23:28:18, 0] nmbd/nmbd.c:889(main) standard input is not a socket, assuming -D option [2012/08/14 23:28:18, 0] lib/util_sock.c:667(open_socket_in) bind failed on port 137 socket_addr = 192.168.10.2. Error = Ne peut attribuer l'adresse demandée [2012/08/14 23:28:18, 0] nmbd/nmbd_subnetdb.c:113(make_subnet) nmbd_subnetdb:make_subnet() Failed to open nmb socket on interface 192.168.10.2 for port 137. Error was Ne peut attribuer l'adresse demandée [2012/08/14 23:28:18, 0] nmbd/nmbd.c:975(main) ERROR: Failed when creating subnet lists. Exiting. Best regards Roddy
Hi, Problem solved in /etc/samba/smb.conf There was a bad interface setting. Thank you very much. Best Regards Roddy