Bug 181941

Summary: Unable to create/copy folder to home directory
Product: [Fedora] Fedora Reporter: David Bentley <david.r.bentley>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: fenlason, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-15 11:48:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
relavent info from audit.log none

Description David Bentley 2006-02-17 20:48:04 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.12) Gecko/20051127 Fedora/1.7.12-1.1.1.legacy

Description of problem:
When yuo access your home directory over the network I am able to write and copy
files to it and delete them but if you try to create a folder I get an error 
message saying Error creating new folder you do not have permissions to write to
the destination.

A similar thing happens if you try to copy a folder to your home directory this 
time you get an error while copying message Error "Access denied" while copying

I have tried it with the SMBD NMBD disabled then restarting the samba service
and this makes no difference.

The problem is present on both of my machines installed from FC5T2 and fully
updated and I think has only occured recently.

NB a users home directory gets permissions of 1600700 by default and changing this to 1600777 has no effect either.

Version-Release number of selected component (if applicable):
samba-3.0.21b-2

How reproducible:
Always

Steps to Reproduce:
see description

Actual Results:  see description

Expected Results:  The ability to create folders and copy folders and their contents to my home 
directory or any other folder that is shared with samba and has the appropriate
permissions set. 



Additional info:

The firewalls on both test machines are active but set to pass SMB traffic.
Comment 1 Nalin Dahyabhai 2006-02-17 23:18:05 UTC 
In case it helps with debugging, what OS is your client system running?  If it's
Linux, which version of Samba?
Comment 2 David Bentley 2006-02-17 23:42:42 UTC 
Tested this to both FC5T2 machines from my FC1 box running the following :-

samba-client-3.0.10-1.fc1.1.legacy
samba-common-3.0.10-1.fc1.1.legacy
samba-3.0.10-1.fc1.1.legacy

and from one test machine to the other both running the following :-

samba-client-3.0.21b-2
samba-common-3.0.21b-2
samba-3.0.21b-2

and from my laptop running WINDOWS 98SE which gives similar error messages
when either trying to copy a folder or create a folder 

When trying to create folder you get Problem creating object Access denied and 
when trying to copy a folder you ger Error Creating File Cannot create or
replace xxxxxx: Access denied.

I can test from WINDOWS 2000, XP PRO and FC3 as well if required.
Comment 3 David Bentley 2006-02-18 00:08:34 UTC 
Just tried something else booted  one of the test machines with enforcing=0
and hey presto I can now both copy and create folders in my home directory so it 
would appear to be an selinux problem not a samba problem. I will test some more 
in the morning  (just after midnight here now)  I will look for error messages
in the various log files to see if they contain any relavent clues.
Comment 4 David Bentley 2006-02-18 00:42:33 UTC 
Created attachment 124844 [details]
relavent info from audit.log

This is what ends up in audit.log when trying to copy a folder to my home
directory.
Comment 5 Nalin Dahyabhai 2006-02-20 16:15:51 UTC 
If you run 'getsebool samba_enable_home_dirs', does it return 'off'?  If so, can
you retry after running 'setsebool samba_enable_home_dirs 1'?
Comment 6 David Bentley 2006-02-20 23:05:51 UTC 
Unfortunately it returns samba_enable_home_dirs --> on

Which was as expected as I have ticked the box for this in the samba selinux 
options.
Comment 7 David Bentley 2006-02-20 23:23:45 UTC 
Just notice somethig else.

A folder which is in my home directory with me as the owner is also un-deletable
when accessed remotely and so are the folders below it but all of the files get 
deleted OK.

The error this time says error while deleting smb://bentl...iles/e1000
cannot be deleted because you do not have permissions to modify the parent
folder.

e1000 is a folder 1 level down from the one in my home directory that I am
trying to delete. (NB the files in that deiectory are deleted though)
Comment 8 David Bentley 2006-02-20 23:56:41 UTC 
I will be doing a fresh install of fc5test3 on one of the machines that exhibit 
the problems described tomorrow evening so I will see if the problem goes away 
after the fresh install.
Comment 9 David Bentley 2006-02-21 22:40:45 UTC 
Having done a fresh install the problem still exists as described.
So I tried it with both the smbd nmbd selinux protection disabled and reebooted
and now everything works as expected (sligtly less brute force approach than
enforcing=0 at boot) although I thought that I had tried this approch I probably
did'nt reboot then test as I have just done. 

Hope this narrows things down a bit.
Comment 10 David Bentley 2006-03-01 20:06:58 UTC 
As this is an SELINUX issue should this be moved from samba to selinux.
Comment 11 David Bentley 2006-03-06 18:40:47 UTC 
Just wondered has this been forgotten about or will it get fixed post FC5 release.
Comment 12 David Bentley 2006-03-19 19:38:37 UTC 
If this is still aparent in FC5 final (hope to get it downladed and installed
tomorrow should this be re-assigned as FC5 or left as devel.
Comment 13 David Bentley 2006-03-22 16:22:10 UTC 
I can confirm that this problem is still present on a freshly installed 
FC5 system and my system still running rawhide now with an updated samba 
samba-3.0.21c-2 (FC5 has samba-3.0.21b-2.i386.rpm)
Comment 14 Jay Fenlason 2006-03-22 16:27:04 UTC 
I'm sending this to the policy guys.
Comment 15 David Bentley 2006-04-11 11:20:22 UTC 
This got moved to selinux-policy some while ago and I see that there are a lot 
of selinux fixes being done has this problem been looked at yet.
Comment 16 Daniel Walsh 2006-04-11 15:20:40 UTC 
try 

grep smbd /var/log/message | audit2allow -M samba

semodule -i samba.pp

Policy fixed in selinux-policy-2.2.30-1
Comment 18 David Bentley 2006-08-14 22:29:20 UTC 
I can confirm that all is now well and this can be closed.