Whit Blauvelt wrote: > <SNIP> > > Then why was it also happy with "sh /etc/init.d/smb start" but not > "/etc/init.d/smb start". I'm happy to become more educated on this. But if > invoking a major daemon startup that selinux wants to block is as easy as > that, selinux is window dressing, not security. > > What am I missing about how that's anything like useful? > As I understand it, the two different methods of invocation could involve different SELinux contexts. Under one of them the process could be less constrained than the other. If you want details, you'll have to look elsewhere, I'm just another seeker! I've found that running the SELinux troubleshoter has been very helpful. SELinux can be a royal pain, particularly with software not written with it in mind (cough*Oracle*cougn). I try to discourage the "just turn off SELinux" mindset... it sorta reminds me of the excuses for NOT using seat belts. In your case, there should have been AVC errors showing up in the audit log related to smbd. Using restorecon to fix up the security context on the files in /etc/samba might have resolved the issue quickly... but I guess the trick is having run across it before, eh? "The best cure for mistakes is experience. The best source of experience is mistakes." - YMMV -- Jay Leafey - jay.leafey at mindless.com Memphis, TN -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3274 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.centos.org/pipermail/centos/attachments/20100525/165c938e/attachment-0005.bin>