-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Claude Jones wrote: > On Thu April 17 2008, Claude Jones wrote: >> I can't declare victory. I am now networked, > > I now know how to break it. Just declare victory. It doesn't have to be total; > victory declarations, qualified, with reservations, with lots of > uselessmumbling, etc...work, too! > > Just switched over to an XP box that had been reliably browsing my Fedora box > for the past hour, and got a "can't find" error. Turned off the firewall on > Fedora, went back to the XP machine, and the connection is restored... WTF?? > > I doubt this is relevant, but here are the relevant entries in iptables: > > Chain INBOUND (1 references) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT udp -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- 192.168.2.0/24 anywhere > ACCEPT all -- 192.168.2.1 anywhere > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh > ACCEPT udp -- anywhere anywhere udp dpt:ssh > ACCEPT tcp -- anywhere anywhere tcp > dpts:6881:6889 > ACCEPT udp -- anywhere anywhere udp > dpts:6881:6889 > ACCEPT tcp -- anywhere anywhere tcp dpt:35986 > ACCEPT udp -- anywhere anywhere udp dpt:35986 > ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ipp > ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:ipp > ACCEPT tcp -- 192.168.2.0/24 anywhere tcp > dpts:netbios-ns:netbios-ssn > ACCEPT udp -- 192.168.2.0/24 anywhere udp > dpts:netbios-ns:netbios-ssn > ACCEPT tcp -- 192.168.2.0/24 anywhere tcp > dpt:microsoft-ds > ACCEPT udp -- 192.168.2.0/24 anywhere udp > dpt:microsoft-ds > ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:sunrpc > ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:sunrpc > ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:nfs > ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:nfs > ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:domain > ACCEPT udp -- 192.168.2.0/24 anywhere udp dpt:domain > ACCEPT tcp -- anywhere anywhere tcp dpt:domain > ACCEPT udp -- anywhere anywhere udp dpt:domain > LSI all -- anywhere anywhere > *************************************** > I know there are issues in there, but, the main point is, why did it suddenly > go dark? Why did it work for a couple of hours this am, and all night, then > suddenly lose it? > *************************************** > and there's the Samba and Selinux issue - I'm getting tons of these: > > > Summary: > > SELinux is preventing smbd (smbd_t) "getattr" to /dev/sde1 > (fixed_disk_device_t). > > Detailed Description: > > SELinux denied access requested by smbd. It is not expected that this access > is > required by smbd and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for /dev/sde1, > > restorecon -v '/dev/sde1' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:smbd_t > Target Context system_u:object_r:fixed_disk_device_t > Target Objects /dev/sde1 [ blk_file ] > Source smbd > Source Path /usr/sbin/smbd > Port <Unknown> > Host tehogee1 > Source RPM Packages samba-3.0.28a-0.fc8 > Target RPM Packages > Policy RPM selinux-policy-3.0.8-98.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name tehogee1 > Platform Linux tehogee1 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 > 09:54:46 EDT 2008 i686 i686 > Alert Count 3 > First Seen Wed 16 Apr 2008 08:39:18 AM EDT > Last Seen Wed 16 Apr 2008 08:43:18 AM EDT > Local ID 83d6b661-2e3b-482a-ada7-ca94aa1f5eb6 > Line Numbers > > Raw Audit Messages > > host=tehogee1 type=AVC msg=audit(1208349798.310:1590): avc: denied { > getattr } for pid=32296 comm="smbd" path="/dev/sde1" dev=tmpfs ino=323202 > scontext=unconfined_u:system_r:smbd_t:s0 > tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file > > host=tehogee1 type=SYSCALL msg=audit(1208349798.310:1590): arch=40000003 > syscall=195 success=no exit=-13 a0=bfd7a694 a1=bfd79e14 a2=4c5ff4 a3=bfd79e14 > items=0 ppid=31287 pid=32296 auid=500 uid=99 gid=0 euid=99 suid=0 fsuid=99 > egid=99 sgid=0 fsgid=99 tty=(none) comm="smbd" exe="/usr/sbin/smbd" > subj=unconfined_u:system_r:smbd_t:s0 key=(null) > > ******************************************** > or even more germane, this: > > > Summary: > > SELinux is preventing the samba daemon from serving r/o local files to remote > clients. > > Detailed Description: > > SELinux has preventing the samba daemon (smbd) from reading files on the local > system. If you have not exported these file systems, this could signals an > intrusion. > > Allowing Access: > > If you want to export file systems using samba you need to turn on the > samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". > > The following command will allow this access: > > setsebool -P samba_export_all_ro=1 > > Additional Information: > > Source Context system_u:system_r:smbd_t > Target Context system_u:object_r:var_t > Target Objects ./srv [ dir ] > Source smbd > Source Path /usr/sbin/smbd > Port <Unknown> > Host tehogee1 > Source RPM Packages samba-3.0.28a-0.fc8 > Target RPM Packages filesystem-2.4.11-1.fc8 > Policy RPM selinux-policy-3.0.8-98.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name samba_export_all_ro > Host Name tehogee1 > Platform Linux tehogee1 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 > 09:54:46 EDT 2008 i686 i686 > Alert Count 8 > First Seen Wed 16 Apr 2008 10:06:11 PM EDT > Last Seen Wed 16 Apr 2008 10:06:15 PM EDT > Local ID dd8cb0d1-fac0-495c-89e6-c115d60ad66f > Line Numbers > > Raw Audit Messages > > host=tehogee1 type=AVC msg=audit(1208397975.959:367): avc: denied { read } > for pid=28749 comm="smbd" name="srv" dev=sda3 ino=26312705 > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 > tclass=dir > > host=tehogee1 type=SYSCALL msg=audit(1208397975.959:367): arch=40000003 > syscall=5 success=no exit=-13 a0=b864d098 a1=98800 a2=bf9291fc a3=b86651c8 > items=0 ppid=3353 pid=28749 auid=4294967295 uid=99 gid=0 euid=99 suid=0 > fsuid=99 egid=99 sgid=0 fsgid=99 tty=(none) comm="smbd" exe="/usr/sbin/smbd" > subj=system_u:system_r:smbd_t:s0 key=(null) > > ********************************************* > > I have run the suggested command to fix the last, but to no avail. > > > > For the SELinux issue. You need to turn on a boolean either samba_export_all_ro or samba_export_all_rw setsebool -P samba_export_all_ro=1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgM7RIACgkQrlYvE4MpobPbMQCeJPG7k7csSIyOpLyRA3EQZN7G 03wAoI8xrpaC6YXtq7KZ/ykg6wC3PO4/ =5t/+ -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
