-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Whit Blauvelt Sent: Tuesday, May 25, 2010 21:27 To: CentOS mailing list Subject: Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
On Tue, May 25, 2010 at 07:46:56PM -0500, Les Mikesell wrote:
I would have looked at selinux first for any "odd failure", but I thought it related to the process itself and couldn't see
any way that
the process would be different when started as "sh /etc/init.d/smb restart" than simply /etc/init.d/smb restart. Is it?
That selinux would prevent a normal init.d startup of a common daemon like smbd, but allow the same startup in several other ways ... okay, I've never studied selinux. I usually run Ubuntu on servers. I've pretty much literally inherited a bunch of RH-based servers to admin (coworker sadly died), and we're adding more to run in parallel, so CentOS was obvious (RH-the-firm being so badly run it took staff days over the phone just to buy a single new license from them). Of course AppArmour can also get in the way, but at least it logs such actions, so it's obvious if you need to reconfig or turn it off.
I'm solidly impressed with this list. Nothing like it for Ubuntu, and back when Gentoo was my preferred server distro there was more noise surrounding that too. It shows that the interest in CentOS is entirely professional. So that's a strong upside.
But if someone can tell me why selinux thinks it's sane to block "/etc/init.d/smb start" while leaving "sh /etc/init.d/smb start" and even /some/random/dir/smb start" wide open ... I just can't believe some happy hacker at NSA
If you look at it as the two different commands, then they may have different permissions, owners, contexts, etc...
/bin/sh vs /etc/init.d/smb
I am just logically guessing here but ...
thought that would count as a security scheme. Really, I'd like to know how this is supposed to be useful.
Whit _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.