어떤 SELinux 설정으로 인해 Samba가 표시되지 않고 공유에 액세스할 수 없게 됩니까?

매우 기본적인 구성이 있습니다 /etc/samba/smb.conf.

[global]
        workgroup = WORKGROUP
        server string = Samba server (%v) on %h

        security = user
        passdb backend = tdbsam
[data]
        comment = Share
        path = /data
        writable = yes
        valid users = jim fred

적절한 SELinux 컨텍스트 권한으로 공유 디렉터리를 구성하고 다음을 실행했습니다 restorecon.

# semanage fcontext -a -t samba_share_t "/data(/.*)?"
# restorecon -R /data

Samba에 대해 다음 SELinux 부울 옵션을 활성화했습니다.

# setsebool -P samba_enable_home_dirs on
# setsebool -P samba_export_all_rw on
# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> on
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off

사용자에 대한 Samba 사용자 계정을 만들었습니다 jim.

# smbpasswd -a jim

Samba 사용자를 인증할 수 있습니다.

# pdbedit -L -v
---------------
Unix username:        jim
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1313117023-1808504127-2290582315-1001
Primary Group SID:    S-1-5-21-1313117023-1808504127-2290582315-513
Full Name:            The Jim of Legend
Home Directory:       \\LSERVER\jim
HomeDir Drive:
Logon Script:
Profile Path:         \\LSERVERS\jim\profile
Domain:               LSERVER
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 10:06:39 EST
Kickoff time:         Wed, 06 Feb 2036 10:06:39 EST
Password last set:    Tue, 16 Aug 2022 18:02:06 EDT
Password can change:  Tue, 16 Aug 2022 18:02:06 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

구성을 설정한 후 smb와 nmb를 다시 시작했습니다.

service smb restart && service nmb restart

smb 서비스가 정상적으로 시작됩니다.

# service smb status
Redirecting to /bin/systemctl status smb.service
● smb.service - Samba SMB Daemon
     Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-08-16 17:56:22 EDT; 7s ago
       Docs: man:smbd(8)
             man:samba(7)
             man:smb.conf(5)
   Main PID: 2795706 (smbd)
     Status: "smbd: ready to serve connections..."
      Tasks: 3 (limit: 76912)
     Memory: 5.6M
        CPU: 47ms
     CGroup: /system.slice/smb.service
             ├─ 2795706 /usr/sbin/smbd --foreground --no-process-group
             ├─ 2795708 /usr/sbin/smbd --foreground --no-process-group
             └─ 2795709 /usr/sbin/smbd --foreground --no-process-group

Aug 16 17:56:22 lserver systemd[1]: Starting smb.service - Samba SMB Daemon...
Aug 16 17:56:22 lserver smbd[2795706]: [2022/08/16 17:56:22.850039,  0] ../../source3/smbd/server.c:1741(main)
Aug 16 17:56:22 lserver smbd[2795706]:   smbd version 4.16.4 started.
Aug 16 17:56:22 lserver smbd[2795706]:   Copyright Andrew Tridgell and the Samba Team 1992-2022
Aug 16 17:56:22 lserver systemd[1]: Started smb.service - Samba SMB Daemon.

그러나 사용 가능한 공유를 나열하려고 하면 jim사용 가능한 공유가 없습니다.

# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:

        Sharename       Type      Comment
        ---------       ----      -------

service smb status로그의 일부 오류를 보고합니다.

# service smb status
...
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828139,  0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]:   dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/spoolss': Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828218,  0] ../../source3/lib/util_sock.c:977(create_pipe_sock)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]:   bind failed on pipe socket /run/samba/ncalrpc/np/srvsvc: Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828242,  0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]:   dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/srvsvc': Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828740,  0] ../../source3/lib/util_sock.c:977(create_pipe_sock)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]:   bind failed on pipe socket /run/samba/ncalrpc/np/winreg: Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828763,  0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]:   dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/winreg': Address already in use

/var/log/messages사건 당시의 전체 로그는 다음과 같습니다.

2022-08-16T18:23:00.514283-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file rpcecho. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.515763-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file rpcecho.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the rpcecho sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.518242-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file epmapper. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.519194-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file epmapper.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the epmapper sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.521350-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file winreg. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.522205-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file winreg.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the winreg sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.524343-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file lsarpc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.525202-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file lsarpc.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the lsarpc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.527306-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file fssagentrpc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.528142-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file fssagentrpc.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the fssagentrpc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.530259-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file mdssvc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.531103-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file mdssvc.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the mdssvc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.533234-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file srvsvc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.534081-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file srvsvc.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the srvsvc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.536250-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file spoolss. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.537079-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file spoolss.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the spoolss sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012

SELinux는 audit2allow를 통해 해결 방법을 제공합니다. 동일한 프로세스를 사용하는 대체 참조를 찾았습니다.다른 곳에서, 그러나 제공된 것과 정확히 동일한 명령을 사용하려고 하면 알 수 없는 스위치에 대한 오류가 보고됩니다.

# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd semodule -X 300 -i my-sambadcerpcd.pp
Usage: audit2allow [options]

audit2allow: error: no such option: -X

이것이 SELinux 문제인지 확인할 수 있습니다. SELinux를 비활성화하고 smb 서비스를 다시 시작하면 공유가 표시됩니다.

# setenforce 0
# systemctl restart smb.service
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:

        Sharename       Type      Comment
        ---------       ----      -------
        data            Disk      Share
        IPC$            IPC       IPC Service (Samba server (4.16.4) on lserver)

SELinux를 다시 활성화하고 smb 서비스를 다시 시작하면 공유에 다시 액세스할 수 없게 됩니다.

# setenforce 1
# systemctl restart smb.service
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:

        Sharename       Type      Comment
        ---------       ----      -------

분명히 SELinux가 공유를 찾아보고 액세스하는 기능을 차단하고 있지만 문제가 무엇인지 알 수 없습니다. SELinux가 활성화된 상태에서 내 공유에 액세스할 수 없는 이유는 무엇입니까?

Fedora 36을 구성할 때 이 문제가 발생했습니다. 유사한 구성(내가 아는 한 동일함)을 가진 CentOS 7.9 서버가 있는데 SELinux 적용이 활성화된 경우에는 이 문제가 발생하지 않습니다.

다음은 관련 Bugzilla 보고서인 것으로 보입니다.

• https://bugzilla.redhat.com/show_bug.cgi?id=2083504
• https://bugzilla.redhat.com/show_bug.cgi?id=2083509
• https://bugzilla.redhat.com/show_bug.cgi?id=2096825