Rootop 服务器运维与web架构

samba 的安全上下文 selinux(samba_share_t)

| 暂无评论

       当我们在与linux中交换文件的时候,内网之间一般是用samba这个服务来实现,那我们也会遇到或多或少的阻碍,比如不能访问了,没权限啊,selinux 的问题等等。这次说一下selinux,我们总不能把selinux关掉吧,毕竟找出根本原因是最好方法,也能学习知识不是麽。

我共享了根目录下的backup文件夹,里面放的是系统自动备份的资料,selinux为强制状态,当我访问samba时,能进入到samba列表,但是打不开smb这个共享的文件夹,提示“找不到网络路径”。好,检查服务器日志:

May 25 08:53:33 rhel smbd[3364]:   ‘/backup’ does not exist or permission denied when connecting to [smb] Error was 权限不够

接着下面:

May 25 08:47:46 rhel setroubleshoot: SELinux is preventing samba (smbd) “search” to ./backup (default_t). For complete SELinux messages. run sealert -l 65266ca9-18cb-49e1-8c83-d8a8f9dedf0a

提示我们执行红色部分语句查看具体错误信息。

[root@rhel ~]# sealert -l 65266ca9-18cb-49e1-8c83-d8a8f9dedf0a

摘要:

SELinux is preventing samba (smbd) “search” to ./backup (default_t).

详细的描述:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied samba access to ./backup. If you want to share this directory
with samba it has to have a file context label of samba_share_t. If you did not
intend to use ./backup as a samba repository it could indicate either a bug or
it could signal a intrusion attempt.

正在允许访问:

You can alter the file context by executing chcon -R -t samba_share_t ‘./backup’
You must also change the default file context files on the system in order to
preserve them even on a full relabel. “semanage fcontext -a -t samba_share_t
‘./backup'”

以下命令将允许这个权限:

chcon -R -t samba_share_t ‘./backup’

附加的信息:

源上下文                  root:system_r:smbd_t
目标上下文               root:object_r:default_t
目标对象                  ./backup [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <未知的>
Host                          rhel
Source RPM Packages           samba-3.0.33-3.28.el5
Target RPM Packages
策略 RPM                    selinux-policy-2.4.6-279.el5
Selinux 激活                True
策略类型                  targeted
MLS 激活                    True
强制模式                  Permissive
插件名称                  samba_share
主机名                     rhel
平台                        Linux rhel 2.6.18-194.el5 #1 SMP Tue Mar 16
                              21:52:39 EDT 2010 x86_64 x86_64
警告记数                  3
First Seen                    Wed May 11 11:33:14 2011
Last Seen                     Wed May 25 08:47:44 2011
Local ID                      65266ca9-18cb-49e1-8c83-d8a8f9dedf0a
行数

原始 Audit 消息

host=rhel type=AVC msg=audit(1306284464.893:47): avc:  denied  { search } for  pid=3590 comm=”smbd” name=”backup” dev=sda1 ino=2505890 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir

host=rhel type=SYSCALL msg=audit(1306284464.893:47): arch=c000003e syscall=80 success=yes exit=0 a0=2ad998a50580 a1=2ad998a50580 a2=2ad994ffdb90 a3=ea items=0 ppid=3584 pid=3590 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=”smbd” exe=”/usr/sbin/smbd” subj=root:system_r:smbd_t:s0 key=(null)

好多废话,那么主要的还是smb安全上下文的原因,在此,我知道samba的安全上下文是:samba_share_t (我为什么知道?学的呗)

[root@rhel ~]# chcon -R -t samba_share_t /backup/

再次访问,ok了~

原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/506.html

赞赏

微信赞赏支付宝赞赏

作者:Venus

专注于 服务器运维与web架构 E-mail:venus#rootop.org

发表评论