[CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

Craig White craigwhite at azapple.com
Wed May 26 14:40:46 UTC 2010 

On Tue, 2010-05-25 at 23:36 -0400, Whit Blauvelt wrote:
> On Tue, May 25, 2010 at 09:09:33PM -0500, Jay Leafey wrote:
> 
> > In your case, there should have been AVC errors showing up in the
> > audit log related to smbd.  Using restorecon to fix up the security
> > context on the files in /etc/samba might have resolved the issue
> > quickly... but I guess the trick is having run across it before, eh?
> 
> Thoughtful advice. Thanks. Is there some method to duplicate basic
> configuration files across selinux servers without running restorecon for
> each set of files that's copied over - that is, to copy them with their
> selinux labels intact? 
> 
> >From this limited example, it looks like selinux gets in the way of standard
> administrative tasks, yet wouldn't be in the way at all of anyone who'd
> acquired a shell within which they could run another shell and with that
> call whatever program they like.
> 
> I was just reading a review by Freeman Dyson of physicist Steven Weinberg's
> new book, Lake Views. Dyson is impressed by Weinberg's argument that for
> defense we often go to "glorified technologies" which don't really do for us
> what we expect. For example, mounted knights, which were the expensive high
> tech approach to war of their time, more often than not lost to peasants
> with pikes. The list goes on from there, right up to the present.
> 
> In it's modest way, selinux would fit right into that record. It's complex
> and shiney and expensive to maintain (hell, it's competitor is even called
> "AppArmour" - armour?). But is it as essentially useless in real combat as
> mounted knights were against a line of men with spears? Or as today's
> wishful and extravagant missile defense?
----
you can't make a useful argument out of ignorance. If you don't want to
use SELinux, then disable it. Otherwise, learn to understand how it
operates and deal with it.

one certain way to cause issues with SELinux is to copy files created in
other directories or other computers onto another computer because it
will not have the proper security contexts so the way to fix that is to
make sure your policy files are all up to date and then relabel your
file system which should set the contexts to their proper labels.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the CentOS mailing list