Bug 2905 - default lock directory in fc3 build conflicts selinux-policy-targeted
default lock directory in fc3 build conflicts selinux-policy-targeted
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: Packaging
3.0.20
x86 Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
http://us3.samba.org/samba/ftp/Binary...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-21 08:40 UTC by David Timms
Modified: 2006-01-25 05:56 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Timms 2005-07-21 08:40:16 UTC
The default "lock directory" in the .20.pre2 (and .14) when not manually entered
into /etc/samba/smb.conf is /var/lib/samba, whereas the redhat build sets the
default to /var/cache/samba. (tested using testparm -v on 3 builds)

If selinux is installed & enforcing, then smb/nmb have many audit denied fails
(/var/log/messages) when trying to start up using current updated-released
policy: selinux-policy-targeted-1.17.30-3.16.fc3.rpm (redhat)

Adding in /etc/samba/smb.conf:
  lock direcory = /var/cache/samba
allows smb/nmb to start OK.

However, winbind will not start, and has the following audit trail:
Jul 22 01:27:56 server1 kernel: audit(1121959676.497:60): avc:  denied  { search
} for  pid=7876 comm="winbindd" name="/" dev=sda10 ino=2
scontext=user_u:system_r:winbind_t tcontext=system_u:object_r:tmp_t tclass=dir
Jul 22 01:27:56 server1 winbindd[7876]: [2005/07/22 01:27:56, 0]
lib/util_sock.c:create_pipe_sock(1265)
Jul 22 01:27:56 server1 winbindd[7876]:   lstat failed on socket directory
/tmp/.winbindd: Permission denied
Jul 22 01:27:56 server1 winbind: winbindd startup succeeded

notes: 
  while the log says it started, it didn't.
  sda10 is mounted as /tmp.
  turning selinux enforcing off allows winbind to start OK.  
  me thinks that the socket file should be getting created in:
/var/cache/samba/winbindd_privileged (which it does on redhats fc3 3.0.10 build)
but some conflict seems to block it, and it attempts to write instead to
/tmp/.winbindd ...
  is this just a different policy between redhat and samba on where data should
be stored ? or is jerry's package intended to work out of the box on an up2date
fc3 box ?
Comment 1 Gerald (Jerry) Carter 2006-01-25 05:56:49 UTC
/var/lib/samba is the better choice according to the FHS.
RedHat needs to fix their SELinux policies.