Tuesday, October 04, 2011

Using samba 3.6 with RHEL 6 and SELinux (OBSOLETE)

Update 2: No, it doesn't work with sernet samba, but I'll look at where it fails; perhaps I need a relabel.

Update 1: This used to be a problem when RHEL 6 came out. They have since updated the samba policies and it now works out of the box.

I have a default installation of RHEL 6, yet want to use samba 3.6 from sernet on it. This doesn't work -- nmbd gets killed by the samba selinux policy installed on RHEL 6.

A simple workaround is to change the smbd_t policy to permissive, this way you can investigate and create an additional policy module to fix it (admittedly I never bothered, RedHat fixed their policy to work with samba 3.6).

semodule -d sambagui
semanage permissive -a smbd_t
semanage permissive -a nmbd_t
semodule -l | grep '[sn]mb'
# should show permissive_[sn]mbd_t...

A somewhat more overreaching, and thus not recommended, workaround was to disable the samba policy modules:

# semodule -d sambagui
# semodule -d samba
# semodule -l | grep samba
# should show sambagui and samba as Disabled

As a reference, Dan Walsh's blog entry may be one of the references for writing selinux policy modules.

The audit.log entry looks like following:

avc:  denied  { create } for  pid=3815 comm="nmbd" name="unexpected" scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=sock_file

Saturday, October 01, 2011

No X11 ssh Forwarding from an RHEL Server

I've done a recent sever-style installation of RHEL 6, and tried to use system-config tools via ssh -X connection. This silently fails. It turns out you need to yum install xorg-x11-xauth. Easy peasy if you figure it out, that is :)