Rootop 服务器运维与web架构

samba 的安全上下文 selinux(samba_share_t)

| 暂无评论

       当我们在与linux中交换文件的时候,内网之间一般是用samba这个服务来实现,那我们也会遇到或多或少的阻碍,比如不能访问了,没权限啊,selinux 的问题等等。这次说一下selinux,我们总不能把selinux关掉吧,毕竟找出根本原因是最好方法,也能学习知识不是麽。


May 25 08:53:33 rhel smbd[3364]:   ‘/backup’ does not exist or permission denied when connecting to [smb] Error was 权限不够


May 25 08:47:46 rhel setroubleshoot: SELinux is preventing samba (smbd) “search” to ./backup (default_t). For complete SELinux messages. run sealert -l 65266ca9-18cb-49e1-8c83-d8a8f9dedf0a


[root@rhel ~]# sealert -l 65266ca9-18cb-49e1-8c83-d8a8f9dedf0a


SELinux is preventing samba (smbd) “search” to ./backup (default_t).


[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied samba access to ./backup. If you want to share this directory
with samba it has to have a file context label of samba_share_t. If you did not
intend to use ./backup as a samba repository it could indicate either a bug or
it could signal a intrusion attempt.


You can alter the file context by executing chcon -R -t samba_share_t ‘./backup’
You must also change the default file context files on the system in order to
preserve them even on a full relabel. “semanage fcontext -a -t samba_share_t


chcon -R -t samba_share_t ‘./backup’


源上下文                  root:system_r:smbd_t
目标上下文               root:object_r:default_t
目标对象                  ./backup [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <未知的>
Host                          rhel
Source RPM Packages           samba-3.0.33-3.28.el5
Target RPM Packages
策略 RPM                    selinux-policy-2.4.6-279.el5
Selinux 激活                True
策略类型                  targeted
MLS 激活                    True
强制模式                  Permissive
插件名称                  samba_share
主机名                     rhel
平台                        Linux rhel 2.6.18-194.el5 #1 SMP Tue Mar 16
                              21:52:39 EDT 2010 x86_64 x86_64
警告记数                  3
First Seen                    Wed May 11 11:33:14 2011
Last Seen                     Wed May 25 08:47:44 2011
Local ID                      65266ca9-18cb-49e1-8c83-d8a8f9dedf0a

原始 Audit 消息

host=rhel type=AVC msg=audit(1306284464.893:47): avc:  denied  { search } for  pid=3590 comm=”smbd” name=”backup” dev=sda1 ino=2505890 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir

host=rhel type=SYSCALL msg=audit(1306284464.893:47): arch=c000003e syscall=80 success=yes exit=0 a0=2ad998a50580 a1=2ad998a50580 a2=2ad994ffdb90 a3=ea items=0 ppid=3584 pid=3590 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=”smbd” exe=”/usr/sbin/smbd” subj=root:system_r:smbd_t:s0 key=(null)

好多废话,那么主要的还是smb安全上下文的原因,在此,我知道samba的安全上下文是:samba_share_t (我为什么知道?学的呗)

[root@rhel ~]# chcon -R -t samba_share_t /backup/