Bug 144513

Summary: RFE: Prompt user to relabel samba share
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: system-config-sambaAssignee: Nils Philippsen <nphilipp>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-27 23:46:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivan Gyurdiev 2005-01-07 21:18:49 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
It would be nice if system-config-samba asked the user if he/she
would like to relabel shares to samba_share_t if selinux is 
turned on, and the shares cannot be accessed by smbd.

dwalsh:

>Excellent. Where can I find such information in the future?
>There must be a better way of communicating to the user what 
>the needed contexts are instead of looking at the policy
>(which is in binary form on my machine).
>How about integrating some sort of check in 
>system-config-samba that asks if it should
>relabel those shares for you when you add them?
>
>Or some sort of document (for Samba) like the one for HTTP that 
>kwade mentioned.
>
>Also, what about home directories?
>
>  
>
Sounds like a good idea.  Could you submit a bugzilla.  Thanks.


Version-Release number of selected component (if applicable):
N/A

How reproducible:
Always

Steps to Reproduce:
1. See summary
    

Additional info:
Comment 1 Ivan Gyurdiev 2005-02-10 05:05:42 UTC 
I should note that samba_share_t is now a customizable file type
in selinux, which means it will survive a restorecon.

What's the status of this bug?
Comment 2 Daniel Walsh 2005-02-10 14:54:31 UTC 
This is not as easy as it seems.  What happens if a labeled part of
the system wants to be shared via samba.  IE I want to share /var/log.
 I don't want to relabel that samba_share_t.

Dan
Comment 3 Ivan Gyurdiev 2005-02-10 17:27:59 UTC 
Well, if you don't relabel it, it won't work properly.
Maybe the user should be warned if relabeling from a system
context. 

I was interested in a way to autogenerate mixed types on the fly
that merge access rules. Someone wrote a script for that on the 
selinux list, but the discussion didn't go anywhere from there.
Comment 4 Nils Philippsen 2006-09-19 13:37:38 UTC 
Is this still an issue and is it solvable in s-c-samba?
Comment 5 Daniel Walsh 2006-09-19 14:22:55 UTC 
Yes the place to solve this is s-c-samba.

Basically if you create a new directory tree that you wish to share via samba
(Not Home Directory or existing files, you should label it samba_share_t.)

Might not be as big a problem since setroubleshoot tells the user the same thing.

Dan
Comment 6 Nils Philippsen 2006-09-20 08:23:18 UTC 
Is this type consistent throughout all the policies we offer (not only the one
we support, i.e. targeted)?
Comment 7 Daniel Walsh 2006-09-20 12:59:36 UTC 
Yes, the problem is s-c-samba figuring out whether to relabel the directory tree
or not.  I am thinking we may want to punt on this and allow setroubleshoot to
handle it.  Or at most advise them of what SELinux would require.

You can look at man selinux_samba for a good definition of what SELinux will do
with samba.