Samba and SELinux
This is a discussion on Samba and SELinux within the Linux Operating System forums, part of the Unix Operating Systems category; --> Can anyone tell me if there are some additional things one needs to do to run samba with SELinux ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-18-2008, 05:27 PM
| ||||
| ||||
 Samba and SELinux Can anyone tell me if there are some additional things one needs to do to run samba with SELinux (red hat ws4)? I have red hat WS4 running and ports: 137:UPD, 138:UDP, 139:TCP, 445:TCP open and I get the login window on my windows PC when I mount a linux samba share (this was all working on older, pre SELinux versions). But when I enter my password, I just get "Denied connection." I suspect the problem may be an attribute in SELinux. For example, the log files have attribute: object_r:samba_log_t but do I need to add a a different one to my directory and files in the samba share, and if so which one? I've looked at http://www.redhat.com/docs/manuals/e...tion-0048.html but no samba user is listed. Is there a definition some where of what all the possible attributes are and what they do? Thanks for any help, including any other suggestions for my samba problem (I've checked passwords multiple time and restarted the samba server, rebooted, etc). Roger      |
|
01-18-2008, 05:27 PM
| |||
| |||
| Re: Samba and SELinux In comp.os.linux.setup "Roger N. Clark (change username to rnclark)" <username@qwest.net>: > Can anyone tell me if there are some additional things one > needs to do to run samba with SELinux (red hat ws4)? > I have red hat WS4 running and ports: > 137:UPD, 138:UDP, 139:TCP, 445:TCP open > and I get the login window on my windows PC when I > mount a linux samba share (this was all working on > older, pre SELinux versions). But when I enter my password, > I just get "Denied connection." > I suspect the problem may be an attribute in SELinux. For example, > the log files have attribute: object_r:samba_log_t > but do I need to add a a different one to my directory and files > in the samba share, and if so which one? Easiest way I found to get back a usable server was adding "selinux=0" to the bootloader appropriate append line and simply reboot. Good luck -- Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' #bofh excuse 412: Radial Telemetry Infiltration |
|
01-18-2008, 05:27 PM
| |||
| |||
| Re: Samba and SELinux "Michael Heiming" <michael+USENET@www.heiming.de> wrote in message news:lhm593-9rd.ln1@news.heiming.de... > In comp.os.linux.setup "Roger N. Clark (change username to rnclark)" > <username@qwest.net>: >> Can anyone tell me if there are some additional things one >> needs to do to run samba with SELinux (red hat ws4)? > >> I have red hat WS4 running and ports: >> 137:UPD, 138:UDP, 139:TCP, 445:TCP open >> and I get the login window on my windows PC when I >> mount a linux samba share (this was all working on >> older, pre SELinux versions). But when I enter my password, >> I just get "Denied connection." > >> I suspect the problem may be an attribute in SELinux. For example, >> the log files have attribute: object_r:samba_log_t >> but do I need to add a a different one to my directory and files >> in the samba share, and if so which one? > > Easiest way I found to get back a usable server was adding > "selinux=0" to the bootloader appropriate append line and simply > reboot. Umm. At least with RedHat published releases, the "system-config-security" or some tool like that, which resets vaslues in /etc/sysconfig/ and sets this option appropriately, without directly having to edit your lilo.conf or grub.conf. It does require a reboot or the use of the telinit command to reset correctly, but it works rather better than hand-editing your boot configuration. |
|
01-18-2008, 05:27 PM
| |||
| |||
| Re: Samba and SELinux In comp.os.linux.setup Nico Kadel-Garcia <nkadel@comcast.net>: > "Michael Heiming" <michael+USENET@www.heiming.de> wrote in message > news:lhm593-9rd.ln1@news.heiming.de... >> In comp.os.linux.setup "Roger N. Clark (change username to rnclark)" >> <username@qwest.net>: >>> Can anyone tell me if there are some additional things one >>> needs to do to run samba with SELinux (red hat ws4)? [..] >> Easiest way I found to get back a usable server was adding >> "selinux=0" to the bootloader appropriate append line and simply >> reboot. > Umm. At least with RedHat published releases, the "system-config-security" > or some tool like that, which resets vaslues in /etc/sysconfig/ and sets > this option appropriately, without directly having to edit your lilo.conf or > grub.conf. It does require a reboot or the use of the telinit command to > reset correctly, but it works rather better than hand-editing your boot > configuration. What on earth is wrong with editing your bootloader config and why shouldn't it work? It's on the system to be edited. -- Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' #bofh excuse 189: SCSI's too wide. |
|
01-18-2008, 05:27 PM
| |||
| |||
| Re: Samba and SELinux Michael Heiming wrote: > In comp.os.linux.setup "Roger N. Clark (change username to rnclark)" > <username@qwest.net>: >> Can anyone tell me if there are some additional things one >> needs to do to run samba with SELinux (red hat ws4)? > >> I have red hat WS4 running and ports: >> 137:UPD, 138:UDP, 139:TCP, 445:TCP open >> and I get the login window on my windows PC when I >> mount a linux samba share (this was all working on >> older, pre SELinux versions). But when I enter my password, >> I just get "Denied connection." > >> I suspect the problem may be an attribute in SELinux. For example, >> the log files have attribute: object_r:samba_log_t >> but do I need to add a a different one to my directory and files >> in the samba share, and if so which one? > > Easiest way I found to get back a usable server was adding > "selinux=0" to the bootloader appropriate append line and simply > reboot. > > Good luck > Keep in mind this disables all selinux security. |
|
01-18-2008, 05:27 PM
| |||
| |||
| Re: Samba and SELinux In comp.os.linux.setup Ken K <kkauffman@nospam.headfog.com>: > Michael Heiming wrote: >> In comp.os.linux.setup "Roger N. Clark (change username to rnclark)" >> <username@qwest.net>: >>> Can anyone tell me if there are some additional things one >>> needs to do to run samba with SELinux (red hat ws4)? [..] >> Easiest way I found to get back a usable server was adding >> "selinux=0" to the bootloader appropriate append line and simply >> reboot. > Keep in mind this disables all selinux security. Yep, luckily. ;-) -- Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' #bofh excuse 460: Here's a nickel, kid. Get yourself a better computer. |
|
01-18-2008, 05:27 PM
| |||
| |||
| Re: Samba and SELinux "Michael Heiming" <michael+USENET@www.heiming.de> wrote in message news  1u593-pvn.ln1@news.heiming.de...> What on earth is wrong with editing your bootloader config and > why shouldn't it work? It's on the system to be edited. Because it's too damn easy to break, and because on many systems, it gets very oddly overwritten. Take a look at the SuSE autoyast manipulations of the grub setups for examples of just how badly it can be done. The manipulations of /etc/sysconf/security are much more graceful, and allow easy changing of a single feature *that is not actually part of the boot process itself!!!* At least for RedHat, the SELinux setttings get run out of init scripts. |
|
01-18-2008, 05:27 PM
| |||
| |||
| Re: Samba and SELinux Ken K wrote: > Michael Heiming wrote: > > >>In comp.os.linux.setup "Roger N. Clark (change username to rnclark)" >><username@qwest.net>: >> >>>Can anyone tell me if there are some additional things one >>>needs to do to run samba with SELinux (red hat ws4)? >> >>>I have red hat WS4 running and ports: >>>137:UPD, 138:UDP, 139:TCP, 445:TCP open >>>and I get the login window on my windows PC when I >>>mount a linux samba share (this was all working on >>>older, pre SELinux versions). But when I enter my password, >>>I just get "Denied connection." >> >>>I suspect the problem may be an attribute in SELinux. For example, >>>the log files have attribute: object_r:samba_log_t >>>but do I need to add a a different one to my directory and files >>>in the samba share, and if so which one? >> >>Easiest way I found to get back a usable server was adding >>"selinux=0" to the bootloader appropriate append line and simply >>reboot. >> >>Good luck >> > > > Keep in mind this disables all selinux security. I solved the problem. I used the security setting tool to turn off selinux security for the samba daemon. So no other security is affected. I have samba configured to only allow shares to specific IP addresses within the internal network. Roger |
|
01-18-2008, 05:27 PM
| |||
| |||
| Re: Samba and SELinux In comp.os.linux.setup Nico Kadel-Garcia <nkadel@comcast.net>: > "Michael Heiming" <michael+USENET@www.heiming.de> wrote in message > news 1u593-pvn.ln1@news.heiming.de...>> What on earth is wrong with editing your bootloader config and >> why shouldn't it work? It's on the system to be edited. > Because it's too damn easy to break, and because on many systems, it gets > very oddly overwritten. Take a look at the SuSE autoyast manipulations of > the grub setups for examples of just how badly it can be done. Works fine for me, yum keeps care of copying settings while installing a new kernel. Autoyast is generally a pita maintaining, due to the dump xml format, RH kickstart beats it by magnitudes. Had some trouble with RHEL 4, until recognizing it was just the dump selinux which is enabled per default. Strange enough you can setup RHEL with lilo out of the box only if using kickstart, otherwise you'll be forced to use grub initially. Dunno why distro try to restrict your choice so badly? I suppose marketing droids as well as lawyers in the case of enabling selinux per default on an "enterprise" server distro. Which is a rather dump idea in the first place. Really don't have the time to maintain selinux settings. Wonder if those people have ever been responsible for a large amount of systems? For sure a good idea to have the availability of selinux, but it should *not* be enabled per default! [..] -- Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' #bofh excuse 401: Sales staff sold a product we don't offer. |
|
01-18-2008, 05:27 PM
| ||||
| ||||
| Re: Samba and SELinux "Michael Heiming" <michael+USENET@www.heiming.de> wrote in message news:hg0793-n9i.ln1@news.heiming.de... > Had some trouble with RHEL 4, until recognizing it was just the > dump selinux which is enabled per default. Strange enough you can > setup RHEL with lilo out of the box only if using kickstart, > otherwise you'll be forced to use grub initially. Dunno why > distro try to restrict your choice so badly? I suppose marketing > droids as well as lawyers in the case of enabling selinux per > default on an "enterprise" server distro. Which is a rather dump > idea in the first place. Really don't have the time to maintain > selinux settings. Wonder if those people have ever been > responsible for a large amount of systems? For sure a good idea > to have the availability of selinux, but it should *not* be > enabled per default! Grub is, in many ways, vastly superior to LILO. It doesn't have the old 1024 cylinder limitation and the resulting requirement for /boot to be early on your disk, it allows lengthier and more descriptive boot options (LILO has a 15 character or so limit), and it's just generally more powerful. SELinux is being touted, for a lot of reasons, as the way to go to address some remaining security issues for Linux. The "on-by-default" is an install time option, just like a firewall. It makes sense to turn on for most machines, but the integration isn't very good yet, I admit. |
 |
« Newbie needs help with setting computer name
|
Help: Fiefox wont resume ftp downloading (partial) 2.6 GB file »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 02:57 AM.
