RES: Problem with SELinux and Squid+Winbind+Samba

RES: Problem with SELinux and Squid+Winbind+Samba

[Luis Fernando C. Talora]

That´s the problem: I have no idea of how to build policies for SELinux...
Is there a way to remove SELinux features without reinstaling the OS from
the scratch? Or (maybe it´s better) could you please tell me where to find
some documentation about SELinux? Some tips on how to build the policies
would be nice, too... :) 

I´m using Fedora Core 3.

Thank you very much!

Regards,

_____________________
Luis Fernando C. Talora


-----Mensagem original-----
De: Luke Kenneth Casson Leighton [mailto:lkcl@lkcl.net] 
Enviada em: terça-feira, 7 de dezembro de 2004 18:41
Para: Luis Fernando C. Talora
Cc: (SELinux@tycho.nsa.gov)
Assunto: Re: Problem with SELinux and Squid+Winbind+Samba

On Tue, Dec 07, 2004 at 09:19:14AM -0200, Luis Fernando C. Talora wrote:
> Fellows,
>  
> I?m trying to put a server running Squid with Microsoft Windows Active 
> Directory integrated authentication (using Samba 3 and Winbind). When 
> I start the squid service, I get the following message (it repeats 
> itself many
> times):
>  
> Dec  7 08:48:56 svux8-250 kernel: audit(1102416536.028:0): avc:  
> denied  { getattr } for  pid=3825 exe=/usr/lib/squid/wb_ntlmauth 
> path=/var/run/winbindd/pipe dev=hda7 ino=627398 
> scontext=root:system_r:squid_t tcontext=root:object_r:var_run_t 
> tclass=sock_file
  
> Since I?m new in SELinux, I have no idea how to solve this. Could 
> someone give some help?
 
  ah.   there's quite a lot involved!

  the first thing is, ideally, to write a separate policy for winbindd,
  esp. making /var/run/winbindd have its own file context.

  then you can grant wb_ntlmmauth (or squid_t) the right to access
  /var/run/winbindd/pipe.

 ... anyone got any opinions as to whether winbind should be creating a
socket in /var/run?  is that FHS compliant?

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with the words "unsubscribe selinux" without quotes as the message.
===================================================================
Esta mensagem pode conter informação confidencial e/ou privilegiada.
Se você não for o destinatário ou a pessoa autorizada a receber esta 
mensagem, não deverá utilizar, copiar, alterar, divulgar a informação 
nela contida ou tomar qualquer ação baseada nessas informações. Se 
você recebeu esta mensagem por engano, por favor avise imediatamente 
o remetente, respondendo o e-mail e em seguida apague-o.Agradecemos 
sua cooperação. 

This message may contain confidential and/or privileged information. 
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose, change, take any action 
based on this message or any information herein. If you have received
this message in error, please advise the sender immediately by reply 
e-mail and delete this message. Thank you for your cooperation.
===================================================================


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RES: Problem with SELinux and Squid+Winbind+Samba

[Daniel J Walsh]

Luis Fernando C. Talora wrote:

>That´s the problem: I have no idea of how to build policies for SELinux...
>Is there a way to remove SELinux features without reinstaling the OS from
>the scratch? Or (maybe it´s better) could you please tell me where to find
>some documentation about SELinux? Some tips on how to build the policies
>would be nice, too... :) 
>
>I´m using Fedora Core 3.
>
>Thank you very much!
>
>Regards,
>
>  
>
system-config-securitylevel will allow you to adjust or turn off SELinux 
on you FC3 machine.
If you just want to turn off squid enforcement you can select
Disable SELinux protection for squid daemon
under the SELinux Service Protection list item.
Then restart the squid service.

>_____________________
>Luis Fernando C. Talora
>
>
>-----Mensagem original-----
>De: Luke Kenneth Casson Leighton [mailto:lkcl@lkcl.net] 
>Enviada em: terça-feira, 7 de dezembro de 2004 18:41
>Para: Luis Fernando C. Talora
>Cc: (SELinux@tycho.nsa.gov)
>Assunto: Re: Problem with SELinux and Squid+Winbind+Samba
>
>On Tue, Dec 07, 2004 at 09:19:14AM -0200, Luis Fernando C. Talora wrote:
>  
>
>>Fellows,
>> 
>>I?m trying to put a server running Squid with Microsoft Windows Active 
>>Directory integrated authentication (using Samba 3 and Winbind). When 
>>I start the squid service, I get the following message (it repeats 
>>itself many
>>times):
>> 
>>Dec  7 08:48:56 svux8-250 kernel: audit(1102416536.028:0): avc:  
>>denied  { getattr } for  pid=3825 exe=/usr/lib/squid/wb_ntlmauth 
>>path=/var/run/winbindd/pipe dev=hda7 ino=627398 
>>scontext=root:system_r:squid_t tcontext=root:object_r:var_run_t 
>>tclass=sock_file
>>    
>>
>  
>  
>
>>Since I?m new in SELinux, I have no idea how to solve this. Could 
>>someone give some help?
>>    
>>
> 
>  ah.   there's quite a lot involved!
>
>  the first thing is, ideally, to write a separate policy for winbindd,
>  esp. making /var/run/winbindd have its own file context.
>
>  then you can grant wb_ntlmmauth (or squid_t) the right to access
>  /var/run/winbindd/pipe.
>
> ... anyone got any opinions as to whether winbind should be creating a
>socket in /var/run?  is that FHS compliant?
>
> l.
>
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>with the words "unsubscribe selinux" without quotes as the message.
>===================================================================
>Esta mensagem pode conter informação confidencial e/ou privilegiada.
>Se você não for o destinatário ou a pessoa autorizada a receber esta 
>mensagem, não deverá utilizar, copiar, alterar, divulgar a informação 
>nela contida ou tomar qualquer ação baseada nessas informações. Se 
>você recebeu esta mensagem por engano, por favor avise imediatamente 
>o remetente, respondendo o e-mail e em seguida apague-o.Agradecemos 
>sua cooperação. 
>
>This message may contain confidential and/or privileged information. 
>If you are not the addressee or authorized to receive this for the 
>addressee, you must not use, copy, disclose, change, take any action 
>based on this message or any information herein. If you have received
>this message in error, please advise the sender immediately by reply 
>e-mail and delete this message. Thank you for your cooperation.
>===================================================================
>
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RES: Problem with SELinux and Squid+Winbind+Samba

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

On Wed, 2004-12-08 at 08:36 -0200, Luis Fernando C. Talora wrote:
> That´s the problem: I have no idea of how to build policies for SELinux...
> Is there a way to remove SELinux features without reinstaling the OS from
> the scratch? 

You can disable SELinux enforcement just for Squid.
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel

> Or (maybe it´s better) could you please tell me where to find
> some documentation about SELinux? 

http://fedora.redhat.com/docs/selinux-faq-fc3/index.html
And there's a lot of other links from there.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]