On Tue, May 25, 2010 at 08:52:58PM -0400, Ross Walker wrote:
Selinux alerts are in /var/log/audit/audit.log
Thank you for that. Cryptic, but there it is.
The problem is if smbd doesn't create the messages.tdb file then it won't have the selinux rights.
I don't follow you. What else could have ever created the messages.tbd file? These were virgin OS installs. Whatever's in /var/cache/samba, at the time that smbd wouldn't run - which is right of the bat or at least as soon as it mattered to us, after our config was in place - is there only because either the CentOS install, or samba itself in trying to start it from /etc/init.d/smb, put it there. What else could have ever created messages.tbd than smbd?
If selinux's real complaint is that it doesn't like the files in /etc/samba being copied in from another system, that would make some sense - except that I'm not finding any mention of any of those files in the audit logs. And that still doesn't say why it starts having a problem with /var/cache/samba/messages.tbd. Does it?
That file can be deleted and will be recreated on smbd start, it's just a cache file.
So in theory if I'd nuked that file smbd would have been happy?
Then why was it also happy with "sh /etc/init.d/smb start" but not "/etc/init.d/smb start". I'm happy to become more educated on this. But if invoking a major daemon startup that selinux wants to block is as easy as that, selinux is window dressing, not security.
What am I missing about how that's anything like useful?
Regards, Whit