A little help with seLinux

Linusolaradm1 · April 7, 2013, 3:38am

Situation: installed on Centos6.4 this samba4 package
samba4-4.0.1-4.centos6.1.x86_64(wich had the path /usr/share/samba4 /var/lock/samba4,etc)
I use selinux so i put in context

/var/lock/samba4    -d    system_u:object_r:samba_var_t:s0
/var/lock/samba4/.*    --    system_u:object_r:samba_var_t:s0
/var/log/samba4 -d system_u:object_r:samba_log_t:s0
/var/log/samba4/.* -- system_u:object_r:samba_log_t:s0
/var/lock/samba4/smb_krb5 -d system_u:object_r:samba_var_t:s0
/var/run/samba4/brlock\.tdb    --    system_u:object_r:smbd_var_run_t:s0
/var/run/samba4/locking\.tdb    --    system_u:object_r:smbd_var_run_t:s0

and then

setfiles targeted/contexts/files/file_contexts  /var/lock/samba4

but when i try to start service failed

[2013/04/06 23:52:27,  7, pid=12982, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:5134(lp_servicenumber)
  lp_servicenumber: couldn't find homes
[2013/04/06 23:52:27,  4, pid=12982, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:176(get_current_groups)
  get_current_groups: user is in 3 groups: 0, 10512, 10572
[2013/04/06 23:52:27,  2, pid=12982, effective(0, 0), real(0, 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
  tdb(/var/lock/samba4/messages.tdb): tdb_open_ex: could not open file /var/lock/samba4/messages.tdb: Permission denied
[2013/04/06 23:52:27,  2, pid=12982, effective(0, 0), real(0, 0)] ../source3/lib/messages_local.c:132(messaging_tdb_init)
  ERROR: Failed to initialise messages database: Permission denied
[2013/04/06 23:52:27,  2, pid=12982, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:203(messaging_init)
  messaging_tdb_init failed: NT_STATUS_ACCESS_DENIED

selinux log said

type=SYSCALL msg=audit(1365320244.679:1168): arch=c000003e syscall=83 success=no exit=-13 a0=1110990 a1=1ed a2=ffffffff a3=7fff7307ff80 items=0 ppid=3600 pid=3601 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=107 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1365320244.680:1169): avc:  denied  { search } for  pid=3601 comm="smbd" name="lock" dev=dm-0 ino=261901 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=SYSCALL msg=audit(1365320244.680:1169): arch=c000003e syscall=2 success=no exit=-13 a0=110fd40 a1=42 a2=180 a3=7fff7307fe00 items=0 ppid=3600 pid=3601 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=107 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)

Someone can help?
Thanks

fpmurphy · April 7, 2013, 12:37pm

First things first, it was unclear from your post but does Samba4 work when SELINUX is disabled?

Linusolaradm1 · April 7, 2013, 3:43pm

Sure.
Works fine.

Linusolaradm1 · April 8, 2013, 9:01pm

SAMBA -- Installation and Setup of Samba4 AD DC on CentOS6

A great solution