Bug 169947

Summary: Need to share nfs mounts via samba
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 15:06:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2005-10-05 16:50:52 UTC
Description of problem:
While not the best configuration, we share some nfs mounts via samba.  I see the
following avc denied messages:

time->Wed Oct  5 10:38:47 2005
type=PATH msg=audit(1128530327.948:62045): item=0
name="turb8/rbs/radar03Spectra" flags=103  inode=831810 dev=00:1d mode=040771
ouid=675 ogid=1001 rdev=00:00
type=CWD msg=audit(1128530327.948:62045):  cwd="/data"
type=SYSCALL msg=audit(1128530327.948:62045): arch=40000003 syscall=5
success=yes exit=27 a0=946c498 a1=18800 a2=0 a3=9405ee0 items=1 pid=10164
auid=4294967295 uid=675 gid=0 euid=675 suid=0 fsuid=675 egid=1001 sgid=1001
fsgid=1001 comm="smbd" exe="/usr/sbin/smbd"
type=AVC msg=audit(1128530327.948:62045): avc:  denied  { read } for  pid=10164
comm="smbd" name="radar03Spectra" dev=0:1d ino=831810
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:nfs_t tclass=dir

Perhaps we need some combination of use_nfs_home_dirs and use_samba_home_dirs,
though in this particular case the directories are not "home dirs" per se, just
disks on remote filesevers that people store their data on.  Maybe a
samba_share_nfs boolean?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.3

Comment 1 Daniel Walsh 2005-10-05 17:03:02 UTC
Can you use the context=system_u:object_r:samba_share_t on the nfs mount?

mount -o context=system_u:object_r:samba_share_t server:nfs /mnt/nfs



Comment 2 Orion Poplawski 2005-10-05 17:09:16 UTC
Is this going to conflict with other possible uses of the nfs mounted
directories?  Samba is not the primary mode of access.



Comment 3 Orion Poplawski 2005-10-05 17:10:33 UTC
Also, these are done via automount NIS maps shared on all machines, but only on
exports via samba.  Not sure I want the context to be samba_share_t on all
machines...

Comment 4 Daniel Walsh 2005-10-05 17:14:41 UTC
Yes, This is not a good solution for you.

You might want to add

r_dir_file(smbd_t, nfs_t)

or 

rw_dir_file(smbd_t, nfs_t) 

to a local.te file and rebuild policy sources.  Then we can bring up a
discussion on the general list if this functionality should get into the general
policy.

Comment 5 Orion Poplawski 2005-10-05 17:18:55 UTC
Another thought might be to mount as system_u:object_r:user_home_t since I'm
already using use_samba_home_dirs.

Comment 6 Daniel Walsh 2005-10-17 18:14:38 UTC
Fixed in selinux-policy-*-1.27.1-2.6


Comment 7 Orion Poplawski 2005-10-18 17:01:04 UTC
Really?  What was the fix?  I don't see any reference to smbd_t and nfs_t in
policy.conf.



Comment 8 Daniel Walsh 2005-10-18 18:10:34 UTC
Sorry accidenly grabbed the wrong bugzilla for a global change.

Did the user_home_t mount work?

Dan

Comment 9 Orion Poplawski 2005-10-18 20:12:41 UTC
Well, it breaks kde logins if I mount the nfs home dirs this way:

type=AVC msg=audit(1129664841.283:12): avc:  denied  { associate } for  pid=2828
comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664846.151:13): avc:  denied  { associate } for  pid=2936
comm="mktemp" name="KDE.startkde.el2936" scontext=user_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664846.487:16): avc:  denied  { associate } for  pid=2776
comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664858.984:22): avc:  denied  { associate } for  pid=2981
comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664862.228:23): avc:  denied  { associate } for  pid=3086
comm="mktemp" name="KDE.startkde.ml3086" scontext=user_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem
type=AVC msg=audit(1129664862.552:26): avc:  denied  { associate } for  pid=2943
comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t
tcontext=system_u:object_r:user_home_t tclass=filesystem

haven't tested with samba shares yet...

Comment 10 Orion Poplawski 2005-10-19 15:48:41 UTC
It also breaks a backup process where I use rsync to backup to an nfs mounted
directory:

type=AVC msg=audit(1129717494.234:867): avc:  denied  { associate } for 
pid=23019 comm="rsync" name=".yp.colorado-research.com.2.x2RrHD"
scontext=system_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t
tclass=filesystem


Comment 11 Daniel Walsh 2006-05-05 15:06:00 UTC
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed