我有一个非常基本的/etc/samba/smb.conf配置:
[global]
workgroup = WORKGROUP
server string = Samba server (%v) on %h
security = user
passdb backend = tdbsam
[data]
comment = Share
path = /data
writable = yes
valid users = jim fred
我已经使用适当的 SELinux 上下文权限配置了共享目录并发出restorecon:
# semanage fcontext -a -t samba_share_t "/data(/.*)?"
# restorecon -R /data
我为 Samba 启用了以下 SELinux 布尔选项:
# setsebool -P samba_enable_home_dirs on
# setsebool -P samba_export_all_rw on
# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> on
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off
我已经为用户创建了一个 Samba 用户帐户jim:
# smbpasswd -a jim
我可以验证 Samba 用户:
# pdbedit -L -v
---------------
Unix username: jim
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1313117023-1808504127-2290582315-1001
Primary Group SID: S-1-5-21-1313117023-1808504127-2290582315-513
Full Name: The Jim of Legend
Home Directory: \\LSERVER\jim
HomeDir Drive:
Logon Script:
Profile Path: \\LSERVERS\jim\profile
Domain: LSERVER
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Tue, 16 Aug 2022 18:02:06 EDT
Password can change: Tue, 16 Aug 2022 18:02:06 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
设置配置后我重新启动了 smb 和 nmb:
service smb restart && service nmb restart
smb 服务启动正常:
# service smb status
Redirecting to /bin/systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-08-16 17:56:22 EDT; 7s ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 2795706 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 3 (limit: 76912)
Memory: 5.6M
CPU: 47ms
CGroup: /system.slice/smb.service
├─ 2795706 /usr/sbin/smbd --foreground --no-process-group
├─ 2795708 /usr/sbin/smbd --foreground --no-process-group
└─ 2795709 /usr/sbin/smbd --foreground --no-process-group
Aug 16 17:56:22 lserver systemd[1]: Starting smb.service - Samba SMB Daemon...
Aug 16 17:56:22 lserver smbd[2795706]: [2022/08/16 17:56:22.850039, 0] ../../source3/smbd/server.c:1741(main)
Aug 16 17:56:22 lserver smbd[2795706]: smbd version 4.16.4 started.
Aug 16 17:56:22 lserver smbd[2795706]: Copyright Andrew Tridgell and the Samba Team 1992-2022
Aug 16 17:56:22 lserver systemd[1]: Started smb.service - Samba SMB Daemon.
但是,当我尝试列出 可用的共享时jim,没有可用的共享:
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
service smb status在日志中报告一些错误:
# service smb status
...
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828139, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/spoolss': Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828218, 0] ../../source3/lib/util_sock.c:977(create_pipe_sock)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: bind failed on pipe socket /run/samba/ncalrpc/np/srvsvc: Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828242, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/srvsvc': Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828740, 0] ../../source3/lib/util_sock.c:977(create_pipe_sock)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: bind failed on pipe socket /run/samba/ncalrpc/np/winreg: Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828763, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/winreg': Address already in use
/var/log/messages以下是事件发生时的完整日志:
2022-08-16T18:23:00.514283-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file rpcecho. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.515763-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file rpcecho.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the rpcecho sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.518242-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file epmapper. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.519194-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file epmapper.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the epmapper sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.521350-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file winreg. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.522205-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file winreg.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the winreg sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.524343-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file lsarpc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.525202-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file lsarpc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the lsarpc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.527306-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file fssagentrpc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.528142-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file fssagentrpc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the fssagentrpc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.530259-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file mdssvc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.531103-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file mdssvc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the mdssvc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.533234-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file srvsvc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.534081-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file srvsvc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the srvsvc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.536250-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file spoolss. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.537079-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file spoolss.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the spoolss sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
SELinux 确实通过audit2allow 提供了一种解决方法,我找到了使用相同过程的替代参考别处,但尝试使用与所提供的完全相同的命令,会报告有关未知开关的错误:
# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd semodule -X 300 -i my-sambadcerpcd.pp
Usage: audit2allow [options]
audit2allow: error: no such option: -X
我可以确认这是一个 SELinux 问题。如果我禁用 SELinux 并重新启动 smb 服务,共享将变得可见:
# setenforce 0
# systemctl restart smb.service
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
data Disk Share
IPC$ IPC IPC Service (Samba server (4.16.4) on lserver)
如果我重新启用 SELinux 并重新启动 smb 服务,我将再次失去对共享的访问权限:
# setenforce 1
# systemctl restart smb.service
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
很明显,SELinux 阻止了我浏览和访问共享的能力,但我无法弄清楚到底是什么问题。为什么我无法在启用 SELinux 的情况下访问我的共享?
我在配置 Fedora 36 时遇到了这个问题。我有一个 CentOS 7.9 服务器,具有类似的配置(据我所知,是相同的),在启用 SELinux 强制执行的情况下不存在此问题。
这些似乎是相关的 Bugzilla 报告: