I’ve run into another issue: After upgrading to Rockstor 3.8.15 I’ve lost access to my SMB shares again.
I was only able to access my home directory share, all the other shares were denied. So I figured it was SELlinux getting in the way again. Sure enough after running
#setenforce 0
and verifying that SELinux was in permissive mode I ran
Now I can access my samba shares over the network but I’m clearly running into SELInux deny problems. Honestly I haven’t had a chance to trouble shoot it past those log issue, I just thought I’d post and see if someone else ran into this, or am I the only one?
Further reading up on the issues on other forms with CentOS 7 and SMB share
[root@chipnas ~]# audit2allow -a
#============= postfix_local_t ==============
allow postfix_local_t admin_home_t:file getattr;
#============= smbd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# samba_export_all_ro, samba_export_all_rw
allow smbd_t ldconfig_exec_t:file { read open };
allow smbd_t ldconfig_exec_t:file { execute execute_no_trans };
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow smbd_t postgresql_t:unix_stream_socket connectto;
allow smbd_t postgresql_var_run_t:sock_file write;
#!!!! This avc can be allowed using the boolean 'samba_export_all_rw'
allow smbd_t usr_t:dir { write add_name };
#!!!! This avc can be allowed using the boolean 'samba_export_all_rw'
allow smbd_t usr_t:file { write create append };
allow smbd_t var_run_t:sock_file write;
#============= systemd_sysctl_t ==============
allow systemd_sysctl_t tmp_t:file open;
Champion. I lost access last week, backed everything up anddecided to give freenas another go, got frustrated with it. Reinstalled Rockstor 30 mins ago, set it up, created a share, boom. Same problem. No SMB shares working.
I was pulling my hair out with these Samba issues until I ran into this post. Setting seteforce 0 worked for me to give me access to the shares. What downsides should I expect from this, and why is this not working by default (this is a fresh install)?
I’m a little confused by this currently as my understanding was that Rockstor set the following in /etc/selinux/config
SELINUX=disabled
And that is what I see here on my systems. From @tristancrockett comment and @Tylor fresh install comment it looks like an upstream update may have overwritten something I thought we enforced (although I can’t quite find where this is done now). I’m assuming here that no manual intervention took place with the selinux settings prior to these problems.
I have just checked for this rouge update here by ‘yum update’ and I still have the same setting, as expected, although there were new selinux policy updates. Also I have just checked the setting on a fresh 3.8.15.iso install and it is also disabled and remains this way after then updating this install to 3.8.15-15 testing channel release.
It would be great to work with selinux enabled and my understanding is that there are intentions to move in that direction, which I’m all in favour of, but that currently selinux is disabled.
Hi @phillxnet,
actually have read this thread more than once and can only confirm Rockstor default (dev env + updated env) is without SELinux, so it should be fine
A few notes here. I’m sorry I haven’t had a chance to respond to this over the weekend. I got caught up remodeling a section of my kitchen! My wife is so much happier now
So what I have found is that when I install Rockstor on a VM it disables SELinux… When I install Rockstor on physical hardware it enables SELinux. I don’t know why. (Granted that was for Rockstor 3.8.14 I have not reinstalled Rockstor since 3.8.15, just an inplace upgrade.)
#setenforce 0
only sets SELinux is permissive mode, it basically disabled SELinux but logs anything to an audit.log so you can see why SELInux is denying access to what ever it is you’re trying to do. It ALSO only sets it to permissive mode for your current boot cycle. If you reboot the box, you’ll go back to enforcing. So you’ll need to make that change permanently.
looking at my box, the only thing I had to change when installing on my physical box (no VMs)
[root@chipnas ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
The only thing I changed for installing was making sure my root partition was btrfs. Some how SELinux was getting set to enable too? weird.
@Michael_Stufflebeam Yes this is weird as the test I did earlier was on both a VM (KVM) and real hw but a non UEFI system. And I used the 3.8.15.iso. In both cases I have same as you in that file only with the:
SELINUX=disabled
So I’m still at a bit of a loss.
Thanks for the additional input on this one, hopefully as we get more info on this we can work out what’s going on.
@phillxnet
More hardware note, I’m running an A8-7600 on a gigabyte a88x FM2+ motherboard with 16GB ram and 7 x 3TB hard drives with the primary drive (Rockstor Root) an 120 GB PNY SSD. I believe the motherboard is UEFI.
Don’t mean to be debbie downer here but you ALL should be using SELINUX=Permissive unless you have good reason not to. All that means is that selinux won’t enforce ANY actions but give you logs. If you EVER want to use it, you’re all set but if you’re at disabled, this involves redoing all file entries for selinux at a later time. No big deal for new systems. There is also a guide on the forums I helped put together to use SELINUX. I know people don’t like it but once you set it up and get going you don’t have to worry about it much more. You have little protection otherwise if a deamon runs crazy or something gets compromised.
I’ve changed hardware today in my NAS. Was unable to reinstall as I couldn’t get the new Skylake hardware booting off USB. (Other linux installers work fine). Reverted to the original installation. Couldn’t access the web GUI. Ran rm /opt/rockstor/.initrock and /opt/rockstor/bin/initrock. Reset up my network and imported the pools from the drives.
Now I cannot access my shares after re-creating them in Samba. Even after running setenforce 0
This is pretty frustrating as I seem to be hitting nothing but pot holes with Rockstor…
EDIT: I’ve moved back to Freenas (reluctantly) until Rockstor is stable. You guys are making a great product and I cant wait to see a stable, mature BTRFS NAS product available. But until that time, I cant afford to keep running into these issues.