* Problem with SELinux and Squid+Winbind+Samba
@ 2004-12-07 11:19 Luis Fernando C. Talora
2004-12-07 20:41 ` Luke Kenneth Casson Leighton
0 siblings, 1 reply; 3+ messages in thread
From: Luis Fernando C. Talora @ 2004-12-07 11:19 UTC (permalink / raw)
To: (SELinux@tycho.nsa.gov)
[-- Attachment #1: Type: text/plain, Size: 1707 bytes --]
Fellows,
I´m trying to put a server running Squid with Microsoft Windows Active
Directory integrated authentication (using Samba 3 and Winbind). When I
start the squid service, I get the following message (it repeats itself many
times):
Dec 7 08:48:56 svux8-250 kernel: audit(1102416536.028:0): avc: denied {
getattr } for pid=3825 exe=/usr/lib/squid/wb_ntlmauth
path=/var/run/winbindd/pipe dev=hda7 ino=627398
scontext=root:system_r:squid_t tcontext=root:object_r:var_run_t
tclass=sock_file
Since I´m new in SELinux, I have no idea how to solve this. Could someone
give some help?
Thank you all!
Regards,
_____________________
Luis Fernando C. Talora
Support Analyst
===================================================================
Esta mensagem pode conter informação confidencial e/ou privilegiada.
Se você não for o destinatário ou a pessoa autorizada a receber esta
mensagem, não deverá utilizar, copiar, alterar, divulgar a informação
nela contida ou tomar qualquer ação baseada nessas informações. Se
você recebeu esta mensagem por engano, por favor avise imediatamente
o remetente, respondendo o e-mail e em seguida apague-o.Agradecemos
sua cooperação.
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, change, take any action
based on this message or any information herein. If you have received
this message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.
===================================================================
[-- Attachment #2: Type: text/html, Size: 3264 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Problem with SELinux and Squid+Winbind+Samba
2004-12-07 11:19 Problem with SELinux and Squid+Winbind+Samba Luis Fernando C. Talora
@ 2004-12-07 20:41 ` Luke Kenneth Casson Leighton
2005-01-06 15:06 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-12-07 20:41 UTC (permalink / raw)
To: Luis Fernando C. Talora; +Cc: (SELinux@tycho.nsa.gov)
On Tue, Dec 07, 2004 at 09:19:14AM -0200, Luis Fernando C. Talora wrote:
> Fellows,
>
> I?m trying to put a server running Squid with Microsoft Windows Active
> Directory integrated authentication (using Samba 3 and Winbind). When I
> start the squid service, I get the following message (it repeats itself many
> times):
>
> Dec 7 08:48:56 svux8-250 kernel: audit(1102416536.028:0): avc: denied {
> getattr } for pid=3825 exe=/usr/lib/squid/wb_ntlmauth
> path=/var/run/winbindd/pipe dev=hda7 ino=627398
> scontext=root:system_r:squid_t tcontext=root:object_r:var_run_t
> tclass=sock_file
> Since I?m new in SELinux, I have no idea how to solve this. Could someone
> give some help?
ah. there's quite a lot involved!
the first thing is, ideally, to write a separate policy for winbindd,
esp. making /var/run/winbindd have its own file context.
then you can grant wb_ntlmmauth (or squid_t) the right to access
/var/run/winbindd/pipe.
... anyone got any opinions as to whether winbind should be creating a
socket in /var/run? is that FHS compliant?
l.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Problem with SELinux and Squid+Winbind+Samba
2004-12-07 20:41 ` Luke Kenneth Casson Leighton
@ 2005-01-06 15:06 ` Russell Coker
0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2005-01-06 15:06 UTC (permalink / raw)
To: Luke Kenneth Casson Leighton
Cc: Luis Fernando C. Talora, (SELinux@tycho.nsa.gov)
On Wednesday 08 December 2004 07:41, Luke Kenneth Casson Leighton
<lkcl@lkcl.net> wrote:
> the first thing is, ideally, to write a separate policy for winbindd,
> esp. making /var/run/winbindd have its own file context.
Dan has just done so.
> then you can grant wb_ntlmmauth (or squid_t) the right to access
> /var/run/winbindd/pipe.
>
> ... anyone got any opinions as to whether winbind should be creating a
> socket in /var/run? is that FHS compliant?
grep var_run.*sock_file policy.conf
Sockets in /var/run are quite common as the above grep command will
illustrate. Either the FHS is fine with that or there are many buggy
programs. ;)
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-01-06 15:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-07 11:19 Problem with SELinux and Squid+Winbind+Samba Luis Fernando C. Talora
2004-12-07 20:41 ` Luke Kenneth Casson Leighton
2005-01-06 15:06 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.