[CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

Jason Pyeron jpyeron at pdinc.us
Wed May 26 02:03:38 UTC 2010 

 

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Whit Blauvelt
> Sent: Tuesday, May 25, 2010 21:27
> To: CentOS mailing list
> Subject: Re: [CentOS] Odd failure of smbd to start from 
> init.d - CentOS 5.4 - it's that fine SELinux
> 
> On Tue, May 25, 2010 at 07:46:56PM -0500, Les Mikesell wrote:
> 
> > I would have looked at selinux first for any "odd failure", but I 
> > thought it related to the process itself and couldn't see 
> any way that 
> > the process would be different when started as "sh /etc/init.d/smb 
> > restart" than simply /etc/init.d/smb restart.  Is it?
> 
> That selinux would prevent a normal init.d startup of a 
> common daemon like smbd, but allow the same startup in 
> several other ways ... okay, I've never studied selinux. I 
> usually run Ubuntu on servers. I've pretty much literally 
> inherited a bunch of RH-based servers to admin (coworker 
> sadly died), and we're adding more to run in parallel, so 
> CentOS was obvious (RH-the-firm being so badly run it took 
> staff days over the phone just to buy a single new license 
> from them). Of course AppArmour can also get in the way, but 
> at least it logs such actions, so it's obvious if you need to 
> reconfig or turn it off.
> 
> I'm solidly impressed with this list. Nothing like it for 
> Ubuntu, and back when Gentoo was my preferred server distro 
> there was more noise surrounding that too. It shows that the 
> interest in CentOS is entirely professional. So that's a 
> strong upside.
> 
> But if someone can tell me why selinux thinks it's sane to 
> block "/etc/init.d/smb start" while leaving "sh 
> /etc/init.d/smb start" and even /some/random/dir/smb start" 
> wide open ... I just can't believe some happy hacker at NSA 

If you look at it as the two different commands, then they may have different
permissions, owners, contexts, etc...

/bin/sh vs /etc/init.d/smb

I am just logically guessing here but ...

> thought that would count as a security scheme. Really, I'd 
> like to know how this is supposed to be useful.
> 
> Whit
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 




--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

More information about the CentOS mailing list