From 8bc3db57d1674838ced8ae72401539c24089890a Mon Sep 17 00:00:00 2001 From: ssorce Date: Thu, 5 Apr 2007 14:26:25 +0000 Subject: [PATCH] More work to get SELinux and Samba work well together. SELinux policies have been updated to make samba work ok as a Domain Controller, meanwhile we established a directories where scripts can be installed and run unconfined from smbd. The default smb.conf now contains some more information on how to modify some relevant selinux options to make samba work. --- samba.spec | 6 ++++++ smb.conf.default | 37 +++++++++++++++++++++++++++++++++++-- 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/samba.spec b/samba.spec index 5e1e4c7..9db53c6 100644 --- a/samba.spec +++ b/samba.spec @@ -584,6 +584,7 @@ exit 0 %attr(700,root,root) %dir /var/lib/samba/private %dir /var/run/winbindd %attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged +%dir /var/lib/samba/scripts %config(noreplace) %{_sysconfdir}/samba/smb.conf %config(noreplace) %{_sysconfdir}/samba/lmhosts %config(noreplace) %{_sysconfdir}/sysconfig/samba @@ -631,6 +632,11 @@ exit 0 #%{_includedir}/libmsrpc.h %changelog +* Wed Apr 4 2007 Simo Sorce +- fixes in smb.conf +- advice in smb.conf to put scripts in /var/lib/samba/scripts +- create /var/lib/samba/scripts so that selinux can be happy + * Tue Apr 03 2007 Guenther Deschner 3.0.24-11.fc7 - enable PAM and NSS dlopen checks during build - fix unresolved symbols in libnss_wins.so (bug #198230) diff --git a/smb.conf.default b/smb.conf.default index 5312da5..5be6fa0 100644 --- a/smb.conf.default +++ b/smb.conf.default @@ -19,6 +19,39 @@ # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not made any basic syntactic errors. # +#--------------- +# SELINUX NOTES: +# +# If you want to use the useradd/groupadd family of binaries please run: +# setsebool -P samba_domain_controller on +# +# If you want to share home directories via samba please run: +# setsebool -P samba_enable_home_dirs on +# +# If you create a new directory you want to share you should mark it as +# "samba-share_t" so that selinux will let you write into it. +# Make sure not to do that on system directories as they may already have +# been marked with othe SELinux labels. +# +# Use ls -ldZ /path to see which context a directory has +# +# Set labels only on directories you created! +# To set a label use the following: chcon -t samba_share_t /path +# +# If you need to share a system created directory you can use one of the +# following (read-only/read-write): +# setsebool -P samba_export_all_ro on +# or +# setsebool -P samba_export_all_rw on +# +# If you want to run scripts (preexec/root prexec/print command/...) please +# put them into the /var/lib/samba/scripts directory so that smbd will be +# allowed to run them. +# Make sure you COPY them and not MOVE them so that the right SELinux context +# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts +# +#-------------- +# #======================= Global Settings ===================================== [global] @@ -132,9 +165,9 @@ ; add user script = /usr/sbin/useradd "%u" -n -g users ; add group script = /usr/sbin/groupadd "%g" -; add machine script = /usr/sbin/adduser -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" +; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" ; delete user script = /usr/sbin/userdel "%u" -; delete user from group script = /usr/sbin/deluser "%u" "%g" +; delete user from group script = /usr/sbin/userdel "%u" "%g" ; delete group script = /usr/sbin/groupdel "%g"