0

My Samba4 service is being blocked from starting using systemctl. The audit log shows:

type=AVC msg=audit(1606428851.446:87): avc:  denied  { execute } for  pid=1748 comm="(samba)" 
name="samba" dev="dm-0" ino=1462831 scontext=system_u:system_r:init_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Setting Selinux policy to "permissive" solves the problem .... but it's not a full time solution.

Samba was built locally. It's not a repo package. So as I understand I have to manually enable it's executable path in Selinux. But how can I do it?

Service definition file looks like:

[Unit]
Description=Samba Active Directory Domain Controller
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/local/samba/sbin/samba -D
PIDFile=/usr/local/samba/var/run/samba.pid
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
Paul Paku
  • 151
  • 7

1 Answers1

1

In addition to manually compiling Samba (why??!?) you also moved instead of copied the binary into place in /usr/local. Thus it kept its SELinux type user_home_t, applied to files in user home directories.

A simple restorecon will fix that.

Of course, since you manually built Samba (again, WHY?) many of its other files will be in locations SELinux does not expect, so you likely will have further issues.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I build it as for time of Centos8 install there was no samba4 package for Centos8. Now it sems there is one ... No I did't move anything anywhere. If you would ever build a software you would now there are config files prepared by the devs to put executables in proper folders. Building does not mean to create by hand! . Will test your solution anyway. – Paul Paku Nov 29 '20 at 22:28
  • @PaulPaku Eh? Samba 4 has been in CentOS 8 since day one. It's called `samba`, not `samba4` though. – Michael Hampton Nov 29 '20 at 23:19
  • Sure, I am blind .. As I remember there was no Samba at all at the day I downloaded ISO. – Paul Paku Nov 30 '20 at 08:01
  • Tried to use samba package on other server... not working. Will have to build it myself :( Look my last question. – Paul Paku Dec 09 '20 at 20:53