FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-31-2008, 04:32 PM
"Arthur Pemberton"
 
Default Selinux does not allow samba

On Jan 31, 2008 11:22 AM, Henning Larsen <hennlar@start.no> wrote:
> Hello
> On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
> > On Jan 31, 2008 4:08 AM, Henning Larsen <hennlar@start.no> wrote:
> > > Hello
> > >
> > > I get an alert from selinux, telling me to do:
> > >
> > > 'setsebool -P samba_export_all_ro=1'
> > >
> > > I did, but still cannot connect to the share from a other pc's.
> > > Do I have to reboot?
> > >
> > > ps. all booleans for samba is selected in selinux administration.
> > >
> > > Henning Larsen
> >
> >
> > Are you still getting alerts?
> >
> After doing that setsebool -P samba.... I still get alerts, but I found
> one solution via google, like this:
>
> # grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
> # semodule -i mysamba.pp
>
> This removes the alert, but I think it not is the proper way.
> Maybe it is a bug?.
> If so, how do I remove the modification I have made, when the bug is
> fixed?
>
> Thanks for helping.


Its definitely not the proper way for a program as popular as Samba. I
have it running on a machine with SELinux myself so I know it works.

Do you have setroubleshoot installed? It helps troubleshoot these
issues, often suggesting exactly what to do. and describing what
happened as much as possible.

If you still have the full description of the issue, paste it here. If
we can't understand it, try the selinux mailing list.


--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-31-2008, 05:02 PM
Henning Larsen
 
Default Selinux does not allow samba

On Thu, 2008-01-31 at 11:32 -0600, Arthur Pemberton wrote:
> On Jan 31, 2008 11:22 AM, Henning Larsen <hennlar@start.no> wrote:
> > Hello
> > On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
> > > On Jan 31, 2008 4:08 AM, Henning Larsen <hennlar@start.no> wrote:
> > > > Hello
> > > >
> > > > I get an alert from selinux, telling me to do:
> > > >
> > > > 'setsebool -P samba_export_all_ro=1'
> > > >
> > > > I did, but still cannot connect to the share from a other pc's.
> > > > Do I have to reboot?
> > > >
> > > > ps. all booleans for samba is selected in selinux administration.
> > > >
> > > > Henning Larsen
> > >
> > >
> > > Are you still getting alerts?
> > >
> > After doing that setsebool -P samba.... I still get alerts, but I found
> > one solution via google, like this:
> >
> > # grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
> > # semodule -i mysamba.pp
> >
> > This removes the alert, but I think it not is the proper way.
> > Maybe it is a bug?.
> > If so, how do I remove the modification I have made, when the bug is
> > fixed?
> >
> > Thanks for helping.
>
>
> Its definitely not the proper way for a program as popular as Samba. I
> have it running on a machine with SELinux myself so I know it works.
>
> Do you have setroubleshoot installed? It helps troubleshoot these
> issues, often suggesting exactly what to do. and describing what
> happened as much as possible.
>
> If you still have the full description of the issue, paste it here. If
> we can't understand it, try the selinux mailing list.

I do not have the full report, since it is gone, because what I did to
get rid of the alert.
I have setroubleshoot installed an it told me to do:

'setsebool -P samba_export_all_ro=1'

I did, but it kept telling me to do the same thing.
The share is ntfs on usb. I should try to share an ordinary filesystem,
but the alert has gone after doing:

# grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
# semodule -i mysamba.pp

I do not know how to reverse this.

btw, I can live with it since the alert has gone and I use enforcing
mode.

Thanks
Henning Larsen

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-31-2008, 06:05 PM
"Arthur Pemberton"
 
Default Selinux does not allow samba

On Jan 31, 2008 12:02 PM, Henning Larsen <hennlar@start.no> wrote:
>
>
> On Thu, 2008-01-31 at 11:32 -0600, Arthur Pemberton wrote:
> > On Jan 31, 2008 11:22 AM, Henning Larsen <hennlar@start.no> wrote:
> > > Hello
> > > On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
> > > > On Jan 31, 2008 4:08 AM, Henning Larsen <hennlar@start.no> wrote:
> > > > > Hello
> > > > >
> > > > > I get an alert from selinux, telling me to do:
> > > > >
> > > > > 'setsebool -P samba_export_all_ro=1'
> > > > >
> > > > > I did, but still cannot connect to the share from a other pc's.
> > > > > Do I have to reboot?
> > > > >
> > > > > ps. all booleans for samba is selected in selinux administration.
> > > > >
> > > > > Henning Larsen
> > > >
> > > >
> > > > Are you still getting alerts?
> > > >
> > > After doing that setsebool -P samba.... I still get alerts, but I found
> > > one solution via google, like this:
> > >
> > > # grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
> > > # semodule -i mysamba.pp
> > >
> > > This removes the alert, but I think it not is the proper way.
> > > Maybe it is a bug?.
> > > If so, how do I remove the modification I have made, when the bug is
> > > fixed?
> > >
> > > Thanks for helping.
> >
> >
> > Its definitely not the proper way for a program as popular as Samba. I
> > have it running on a machine with SELinux myself so I know it works.
> >
> > Do you have setroubleshoot installed? It helps troubleshoot these
> > issues, often suggesting exactly what to do. and describing what
> > happened as much as possible.
> >
> > If you still have the full description of the issue, paste it here. If
> > we can't understand it, try the selinux mailing list.
>
> I do not have the full report, since it is gone, because what I did to
> get rid of the alert.
> I have setroubleshoot installed an it told me to do:
>
> 'setsebool -P samba_export_all_ro=1'
>
> I did, but it kept telling me to do the same thing.
> The share is ntfs on usb. I should try to share an ordinary filesystem,
> but the alert has gone after doing:
>
> # grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
> # semodule -i mysamba.pp
>
> I do not know how to reverse this.
>
> btw, I can live with it since the alert has gone and I use enforcing
> mode.
>
> Thanks

No prob.


--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-31-2008, 06:28 PM
Daniel J Walsh
 
Default Selinux does not allow samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Henning Larsen wrote:
> On Thu, 2008-01-31 at 11:32 -0600, Arthur Pemberton wrote:
>> On Jan 31, 2008 11:22 AM, Henning Larsen <hennlar@start.no> wrote:
>>> Hello
>>> On Thu, 2008-01-31 at 11:14 -0600, Arthur Pemberton wrote:
>>>> On Jan 31, 2008 4:08 AM, Henning Larsen <hennlar@start.no> wrote:
>>>>> Hello
>>>>>
>>>>> I get an alert from selinux, telling me to do:
>>>>>
>>>>> 'setsebool -P samba_export_all_ro=1'
>>>>>
>>>>> I did, but still cannot connect to the share from a other pc's.
>>>>> Do I have to reboot?
>>>>>
>>>>> ps. all booleans for samba is selected in selinux administration.
>>>>>
>>>>> Henning Larsen
>>>>
>>>> Are you still getting alerts?
>>>>
>>> After doing that setsebool -P samba.... I still get alerts, but I found
>>> one solution via google, like this:
>>>
>>> # grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
>>> # semodule -i mysamba.pp
>>>
>>> This removes the alert, but I think it not is the proper way.
>>> Maybe it is a bug?.
>>> If so, how do I remove the modification I have made, when the bug is
>>> fixed?
>>>
>>> Thanks for helping.
>>
>> Its definitely not the proper way for a program as popular as Samba. I
>> have it running on a machine with SELinux myself so I know it works.
>>
>> Do you have setroubleshoot installed? It helps troubleshoot these
>> issues, often suggesting exactly what to do. and describing what
>> happened as much as possible.
>>
>> If you still have the full description of the issue, paste it here. If
>> we can't understand it, try the selinux mailing list.
>
> I do not have the full report, since it is gone, because what I did to
> get rid of the alert.
> I have setroubleshoot installed an it told me to do:
>
> 'setsebool -P samba_export_all_ro=1'
>
> I did, but it kept telling me to do the same thing.
> The share is ntfs on usb. I should try to share an ordinary filesystem,
> but the alert has gone after doing:
>
> # grep fusefs_t /var/log/audit/audit.log | audit2allow -M mysamba
> # semodule -i mysamba.pp
>
> I do not know how to reverse this.
>
> btw, I can live with it since the alert has gone and I use enforcing
> mode.
>
> Thanks
> Henning Larsen
>
Please attach the avc messages that you generated policy for. Looks
like you are using samba to share an NFS partition off of a unix box?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeiIWgACgkQrlYvE4MpobO7bQCeOm5I+H9+jp 1w3NUDyKVk1fhD
HjAAn0Yqg+SVMjMze6UCDWnTbxnKNMH5
=g26K
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-31-2008, 10:06 PM
Tim
 
Default Selinux does not allow samba

On Thu, 2008-01-31 at 19:02 +0100, Henning Larsen wrote:
> btw, I can live with it since the alert has gone and I use enforcing
> mode.

Though, going by what you posted earlier using audit2allow, you've
probably disabled SELinux from doing anything about Samba. Enforcing no
rules isn't really enforcing SELinux...

This is the same sort of thing as some firewall telling a user that the
firewall has blocked trojan from using the internet, and the user clicks
on allow access. You have to diagnose the fault, not just get rid of
the warning.

--
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-31-2008, 10:15 PM
Henning Larsen
 
Default Selinux does not allow samba

On Fri, 2008-02-01 at 09:36 +1030, Tim wrote:
> On Thu, 2008-01-31 at 19:02 +0100, Henning Larsen wrote:
> > btw, I can live with it since the alert has gone and I use enforcing
> > mode.
>
> Though, going by what you posted earlier using audit2allow, you've
> probably disabled SELinux from doing anything about Samba. Enforcing no
> rules isn't really enforcing SELinux...
>
> This is the same sort of thing as some firewall telling a user that the
> firewall has blocked trojan from using the internet, and the user clicks
> on allow access. You have to diagnose the fault, not just get rid of
> the warning.
>
> --
> (This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
> important to the thread.)
>
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
>
I did belive that too, my problem now is that I don't know how to
reverse what I did to stop the alerts.
Do you have an answer to that?

btw. my router is firewalled against samba, so there is no big security
issue.

Henning Larsen

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-31-2008, 11:06 PM
Tim
 
Default Selinux does not allow samba

On Fri, 2008-02-01 at 00:15 +0100, Henning Larsen wrote:
> my problem now is that I don't know how to reverse what I did to stop
> the alerts.

Previously you'd inserted a module (created by your rules), with this
command, to allow something:

semodule -i mysamba.pp

What you allowed, I don't know. You didn't post that data.

Reading the man file for semodule shows a "-r" remove module option.
Give that a try.

e.g. semodule -r mysamba.pp

--
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 02-01-2008, 08:33 AM
Tony Molloy
 
Default Selinux does not allow samba

On Thursday 31 January 2008 23:15:50 Henning Larsen wrote:
> On Fri, 2008-02-01 at 09:36 +1030, Tim wrote:
> > On Thu, 2008-01-31 at 19:02 +0100, Henning Larsen wrote:
> > > btw, I can live with it since the alert has gone and I use enforcing
> > > mode.
> >
> > Though, going by what you posted earlier using audit2allow, you've
> > probably disabled SELinux from doing anything about Samba. Enforcing no
> > rules isn't really enforcing SELinux...
> >
> > This is the same sort of thing as some firewall telling a user that the
> > firewall has blocked trojan from using the internet, and the user clicks
> > on allow access. You have to diagnose the fault, not just get rid of
> > the warning.
> >
> > --
> > (This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
> > important to the thread.)
> >
> > Don't send private replies to my address, the mailbox is ignored.
> > I read messages from the public lists.
>
> I did belive that too, my problem now is that I don't know how to
> reverse what I did to stop the alerts.
> Do you have an answer to that?
>

locate mysamba.pp

rm -f ...active/mysamba.pp
rm -f .../previous/mysamba.pp

reboot

Tony

> btw. my router is firewalled against samba, so there is no big security
> issue.
>
> Henning Larsen


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 02-01-2008, 09:41 AM
Henning Larsen
 
Default Selinux does not allow samba

On Fri, 2008-02-01 at 10:36 +1030, Tim wrote:

>What you allowed, I don't know. You didn't post that data.
>
>Reading the man file for semodule shows a "-r" remove module option.
>Give that a try.
>e.g. semodule -r mysamba.pp

semodule -r mysamba
That removed it

I got the alert back, here it is:

................
Summary
SELinux is preventing the samba daemon from serving r/o local files
to
remote clients.

Detailed Description
SELinux has preventing the samba daemon (smbd) from reading files on
the
local system. If you have not exported these file systems, this
could
signals an intrusion.

Allowing Access
If you want to export file systems using samba you need to turn on
the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".

The following command will allow this access:
setsebool -P samba_export_all_ro=1

Additional Information

Source Context system_u:system_r:smbd_t:s0
Target Context system_ubject_r:fusefs_t:s0
Target Objects None [ dir ]
Affected RPM Packages samba-3.0.28-0.fc8 [application]
Policy RPM selinux-policy-3.0.8-81.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.samba_export_all_ro
Host Name venus.popper.homeunix.com
Platform Linux venus.popper.homeunix.com
2.6.23.14-107.fc8
#1 SMP Mon Jan 14 21:37:30 EST 2008 i686
i686
Alert Count 1
First Seen Fri 01 Feb 2008 11:34:17 AM CET
Last Seen Fri 01 Feb 2008 11:34:17 AM CET
Local ID 6ed95377-42e5-4309-8a8d-fb1b5e06edee
Line Numbers

Raw Audit Messages

avc: denied { read } for comm=smbd dev=sdd1 egid=99 euid=99
exe=/usr/sbin/smbd
exit=-13 fsgid=99 fsuid=99 gid=0 items=0 name=Documents pid=3363
scontext=system_u:system_r:smbd_t:s0 sgid=0
subj=system_u:system_r:smbd_t:s0
suid=0 tclass=dir tcontext=system_ubject_r:fusefs_t:s0 tty=(none)
uid=99

..........


sealert tell me to do:

setsebool -P samba_export_all_ro=1

but it is already done, and have no effect.


Henning Larsen

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 02-01-2008, 12:26 PM
Tim
 
Default Selinux does not allow samba

On Fri, 2008-02-01 at 11:41 +0100, Henning Larsen wrote:
> I got the alert back, here it is:
>
> ................
> Summary
> SELinux is preventing the samba daemon from serving r/o local
> files to remote clients.
>
> Detailed Description
> SELinux has preventing the samba daemon (smbd) from reading files
> on the local system. If you have not exported these file systems, this
> could signals an intrusion.

Okay, now you might want to tell us what it is that you're trying to
share out (e.g. /home), how that's mounted (e.g. local partition or a
sub-dir off of /), etc.

--
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 07:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org