Bug 169947

Summary: Need to share nfs mounts via samba
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 11:06:00 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Orion Poplawski 2005-10-05 12:50:52 EDT
Description of problem:
While not the best configuration, we share some nfs mounts via samba.  I see the
following avc denied messages:

time->Wed Oct  5 10:38:47 2005
type=PATH msg=audit(1128530327.948:62045): item=0
name="turb8/rbs/radar03Spectra" flags=103  inode=831810 dev=00:1d mode=040771
ouid=675 ogid=1001 rdev=00:00
type=CWD msg=audit(1128530327.948:62045):  cwd="/data"
type=SYSCALL msg=audit(1128530327.948:62045): arch=40000003 syscall=5
success=yes exit=27 a0=946c498 a1=18800 a2=0 a3=9405ee0 items=1 pid=10164
auid=4294967295 uid=675 gid=0 euid=675 suid=0 fsuid=675 egid=1001 sgid=1001
fsgid=1001 comm="smbd" exe="/usr/sbin/smbd"
type=AVC msg=audit(1128530327.948:62045): avc:  denied  { read } for  pid=10164
comm="smbd" name="radar03Spectra" dev=0:1d ino=831810
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:nfs_t tclass=dir

Perhaps we need some combination of use_nfs_home_dirs and use_samba_home_dirs,
though in this particular case the directories are not "home dirs" per se, just
disks on remote filesevers that people store their data on.  Maybe a
samba_share_nfs boolean?

Version-Release number of selected component (if applicable):
Comment 1 Daniel Walsh 2005-10-05 13:03:02 EDT
Can you use the context=system_u:object_r:samba_share_t on the nfs mount?

mount -o context=system_u:object_r:samba_share_t server:nfs /mnt/nfs

Comment 2 Orion Poplawski 2005-10-05 13:09:16 EDT
Is this going to conflict with other possible uses of the nfs mounted
directories?  Samba is not the primary mode of access.

Comment 3 Orion Poplawski 2005-10-05 13:10:33 EDT
Also, these are done via automount NIS maps shared on all machines, but only on
exports via samba.  Not sure I want the context to be samba_share_t on all
Comment 4 Daniel Walsh 2005-10-05 13:14:41 EDT
Yes, This is not a good solution for you.

You might want to add

r_dir_file(smbd_t, nfs_t)


rw_dir_file(smbd_t, nfs_t) 

to a local.te file and rebuild policy sources.  Then we can bring up a
discussion on the general list if this functionality should get into the general
Comment 5 Orion Poplawski 2005-10-05 13:18:55 EDT
Another thought might be to mount as system_u:object_r:user_home_t since I'm
already using use_samba_home_dirs.
Comment 6 Daniel Walsh 2005-10-17 14:14:38 EDT
Fixed in selinux-policy-*-1.27.1-2.6
Comment 7 Orion Poplawski 2005-10-18 13:01:04 EDT
Really?  What was the fix?  I don't see any reference to smbd_t and nfs_t in

Comment 8 Daniel Walsh 2005-10-18 14:10:34 EDT
Sorry accidenly grabbed the wrong bugzilla for a global change.

Did the user_home_t mount work?

Comment 9 Orion Poplawski 2005-10-18 16:12:41 EDT
Well, it breaks kde logins if I mount the nfs home dirs this way:

type=AVC msg=audit(1129664841.283:12): avc:  denied  { associate } for  pid=2828
comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664846.151:13): avc:  denied  { associate } for  pid=2936
comm="mktemp" name="KDE.startkde.el2936" scontext=user_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664846.487:16): avc:  denied  { associate } for  pid=2776
comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664858.984:22): avc:  denied  { associate } for  pid=2981
comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664862.228:23): avc:  denied  { associate } for  pid=3086
comm="mktemp" name="KDE.startkde.ml3086" scontext=user_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664862.552:26): avc:  denied  { associate } for  pid=2943
comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem

haven't tested with samba shares yet...
Comment 10 Orion Poplawski 2005-10-19 11:48:41 EDT
It also breaks a backup process where I use rsync to backup to an nfs mounted

type=AVC msg=audit(1129717494.234:867): avc:  denied  { associate } for 
pid=23019 comm="rsync" name=".yp.colorado-research.com.2.x2RrHD"
scontext=system_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t
Comment 11 Daniel Walsh 2006-05-05 11:06:00 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed