[CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

Wed May 26 01:44:41 UTC 2010
Whit Blauvelt <whit at transpect.com>

On Tue, May 25, 2010 at 08:52:58PM -0400, Ross Walker wrote:

> Selinux alerts are in /var/log/audit/audit.log

Thank you for that. Cryptic, but there it is.

> The problem is if smbd doesn't create the messages.tdb file then it  
> won't have the selinux rights.

I don't follow you. What else could have ever created the messages.tbd file?
These were virgin OS installs. Whatever's in /var/cache/samba, at the time
that smbd wouldn't run - which is right of the bat or at least as soon as it
mattered to us, after our config was in place - is there only because either
the CentOS install, or samba itself in trying to start it from
/etc/init.d/smb, put it there. What else could have ever created
messages.tbd than smbd?

If selinux's real complaint is that it doesn't like the files in /etc/samba
being copied in from another system, that would make some sense - except
that I'm not finding any mention of any of those files in the audit logs.
And that still doesn't say why it starts having a problem with
/var/cache/samba/messages.tbd. Does it?

> That file can be deleted and will be recreated on smbd start, it's  
> just a cache file.

So in theory if I'd nuked that file smbd would have been happy?

Then why was it also happy with "sh /etc/init.d/smb start" but not
"/etc/init.d/smb start". I'm happy to become more educated on this. But if
invoking a major daemon startup that selinux wants to block is as easy as
that, selinux is window dressing, not security.

What am I missing about how that's anything like useful?

Regards,
Whit