[CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
Jason Pyeron
jpyeron at pdinc.us
Wed May 26 02:03:38 UTC 2010
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Whit Blauvelt
> Sent: Tuesday, May 25, 2010 21:27
> To: CentOS mailing list
> Subject: Re: [CentOS] Odd failure of smbd to start from
> init.d - CentOS 5.4 - it's that fine SELinux
>
> On Tue, May 25, 2010 at 07:46:56PM -0500, Les Mikesell wrote:
>
> > I would have looked at selinux first for any "odd failure", but I
> > thought it related to the process itself and couldn't see
> any way that
> > the process would be different when started as "sh /etc/init.d/smb
> > restart" than simply /etc/init.d/smb restart. Is it?
>
> That selinux would prevent a normal init.d startup of a
> common daemon like smbd, but allow the same startup in
> several other ways ... okay, I've never studied selinux. I
> usually run Ubuntu on servers. I've pretty much literally
> inherited a bunch of RH-based servers to admin (coworker
> sadly died), and we're adding more to run in parallel, so
> CentOS was obvious (RH-the-firm being so badly run it took
> staff days over the phone just to buy a single new license
> from them). Of course AppArmour can also get in the way, but
> at least it logs such actions, so it's obvious if you need to
> reconfig or turn it off.
>
> I'm solidly impressed with this list. Nothing like it for
> Ubuntu, and back when Gentoo was my preferred server distro
> there was more noise surrounding that too. It shows that the
> interest in CentOS is entirely professional. So that's a
> strong upside.
>
> But if someone can tell me why selinux thinks it's sane to
> block "/etc/init.d/smb start" while leaving "sh
> /etc/init.d/smb start" and even /some/random/dir/smb start"
> wide open ... I just can't believe some happy hacker at NSA
If you look at it as the two different commands, then they may have different
permissions, owners, contexts, etc...
/bin/sh vs /etc/init.d/smb
I am just logically guessing here but ...
> thought that would count as a security scheme. Really, I'd
> like to know how this is supposed to be useful.
>
> Whit
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
More information about the CentOS
mailing list