매우 기본적인 구성이 있습니다 /etc/samba/smb.conf
.
[global]
workgroup = WORKGROUP
server string = Samba server (%v) on %h
security = user
passdb backend = tdbsam
[data]
comment = Share
path = /data
writable = yes
valid users = jim fred
적절한 SELinux 컨텍스트 권한으로 공유 디렉터리를 구성하고 다음을 실행했습니다 restorecon
.
# semanage fcontext -a -t samba_share_t "/data(/.*)?"
# restorecon -R /data
Samba에 대해 다음 SELinux 부울 옵션을 활성화했습니다.
# setsebool -P samba_enable_home_dirs on
# setsebool -P samba_export_all_rw on
# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> on
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off
사용자에 대한 Samba 사용자 계정을 만들었습니다 jim
.
# smbpasswd -a jim
Samba 사용자를 인증할 수 있습니다.
# pdbedit -L -v
---------------
Unix username: jim
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1313117023-1808504127-2290582315-1001
Primary Group SID: S-1-5-21-1313117023-1808504127-2290582315-513
Full Name: The Jim of Legend
Home Directory: \\LSERVER\jim
HomeDir Drive:
Logon Script:
Profile Path: \\LSERVERS\jim\profile
Domain: LSERVER
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Tue, 16 Aug 2022 18:02:06 EDT
Password can change: Tue, 16 Aug 2022 18:02:06 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
구성을 설정한 후 smb와 nmb를 다시 시작했습니다.
service smb restart && service nmb restart
smb 서비스가 정상적으로 시작됩니다.
# service smb status
Redirecting to /bin/systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-08-16 17:56:22 EDT; 7s ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 2795706 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 3 (limit: 76912)
Memory: 5.6M
CPU: 47ms
CGroup: /system.slice/smb.service
├─ 2795706 /usr/sbin/smbd --foreground --no-process-group
├─ 2795708 /usr/sbin/smbd --foreground --no-process-group
└─ 2795709 /usr/sbin/smbd --foreground --no-process-group
Aug 16 17:56:22 lserver systemd[1]: Starting smb.service - Samba SMB Daemon...
Aug 16 17:56:22 lserver smbd[2795706]: [2022/08/16 17:56:22.850039, 0] ../../source3/smbd/server.c:1741(main)
Aug 16 17:56:22 lserver smbd[2795706]: smbd version 4.16.4 started.
Aug 16 17:56:22 lserver smbd[2795706]: Copyright Andrew Tridgell and the Samba Team 1992-2022
Aug 16 17:56:22 lserver systemd[1]: Started smb.service - Samba SMB Daemon.
그러나 사용 가능한 공유를 나열하려고 하면 jim
사용 가능한 공유가 없습니다.
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
service smb status
로그의 일부 오류를 보고합니다.
# service smb status
...
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828139, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/spoolss': Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828218, 0] ../../source3/lib/util_sock.c:977(create_pipe_sock)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: bind failed on pipe socket /run/samba/ncalrpc/np/srvsvc: Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828242, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/srvsvc': Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828740, 0] ../../source3/lib/util_sock.c:977(create_pipe_sock)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: bind failed on pipe socket /run/samba/ncalrpc/np/winreg: Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828763, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/winreg': Address already in use
/var/log/messages
사건 당시의 전체 로그는 다음과 같습니다.
2022-08-16T18:23:00.514283-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file rpcecho. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.515763-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file rpcecho.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the rpcecho sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.518242-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file epmapper. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.519194-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file epmapper.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the epmapper sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.521350-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file winreg. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.522205-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file winreg.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the winreg sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.524343-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file lsarpc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.525202-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file lsarpc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the lsarpc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.527306-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file fssagentrpc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.528142-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file fssagentrpc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the fssagentrpc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.530259-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file mdssvc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.531103-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file mdssvc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the mdssvc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.533234-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file srvsvc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.534081-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file srvsvc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the srvsvc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.536250-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file spoolss. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.537079-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file spoolss.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the spoolss sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
SELinux는 audit2allow를 통해 해결 방법을 제공합니다. 동일한 프로세스를 사용하는 대체 참조를 찾았습니다.다른 곳에서, 그러나 제공된 것과 정확히 동일한 명령을 사용하려고 하면 알 수 없는 스위치에 대한 오류가 보고됩니다.
# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd semodule -X 300 -i my-sambadcerpcd.pp
Usage: audit2allow [options]
audit2allow: error: no such option: -X
이것이 SELinux 문제인지 확인할 수 있습니다. SELinux를 비활성화하고 smb 서비스를 다시 시작하면 공유가 표시됩니다.
# setenforce 0
# systemctl restart smb.service
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
data Disk Share
IPC$ IPC IPC Service (Samba server (4.16.4) on lserver)
SELinux를 다시 활성화하고 smb 서비스를 다시 시작하면 공유에 다시 액세스할 수 없게 됩니다.
# setenforce 1
# systemctl restart smb.service
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
분명히 SELinux가 공유를 찾아보고 액세스하는 기능을 차단하고 있지만 문제가 무엇인지 알 수 없습니다. SELinux가 활성화된 상태에서 내 공유에 액세스할 수 없는 이유는 무엇입니까?
Fedora 36을 구성할 때 이 문제가 발생했습니다. 유사한 구성(내가 아는 한 동일함)을 가진 CentOS 7.9 서버가 있는데 SELinux 적용이 활성화된 경우에는 이 문제가 발생하지 않습니다.
다음은 관련 Bugzilla 보고서인 것으로 보입니다.