Bug 187197

Summary: Samba anon - setsebool command fails
Product: [Fedora] Fedora Reporter: Al Dunsmuir <al.dunsmuir>
Component: libsemanageAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-16 03:35:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Al Dunsmuir 2006-03-29 05:03:34 UTC 
Description of problem: setsebool -P allow_smb_anon_write=1 fails
Attempted to use this setsebool command as documented in
http://fedora.project.org/wiki/SELinux/samba to allow anon R/W.
R/W for home directory for user defined on both FC5 and XP is OK.

getsebool -a | grep smb returns 
allow_smbd_anon_write --> off

Version-Release number of selected component (if applicable): FC5

How reproducible:
100%

Steps to Reproduce:
1.Use advice from man samba_selinux(8) or wiki copy
2.Try to get anon samba write to work as documented
3.Notice that the man page and wiki have a typo!
4.Enter corrected command.  Boolean is now set, but R/W for anon still doesn't
work even after reboot of FC5 system
  
Actual results: "setsebool -P allow_smb_anon_write=1" failed with
 libsemanage.dbase_llist_set: record not found in the database
 libsemanage.dbase_llist_set: could not set record value
 Could not change boolean allow_smb_anon_write
 Could not change policy booleans

Expected results: Change to boolean, and working Samba anon R/W

Additional info:
The man page says to issue "setsebool -P allow_smb_anon_write=1"... but the
actual command needs to be "setsebool -P allow_smbd_anon_write=1".  This works
to set the required flag... even though Samba anon R/W is still not working for
me. I only spotted it because I typed in the grep command and results above.
Comment 1 Al Dunsmuir 2006-03-30 01:03:38 UTC 
I tried something else, and it worked:  I used "chmod 777 /home/share" to make
the direcory writable via anonymous Samba user.  I am unsure whether this is
going overboard, however, since it makes it world writable from all sources, not
just Samba.  It may be an obvious point, but perhaps worth mentioning in the
manpage?

I'm reducing severity to normal, as I'm OK now but updating this as part of the
next manpages revision (and updating the wiki) would be a really helpful for others.
Comment 2 Daniel Walsh 2006-03-30 20:50:00 UTC 
Fixed in selinux-policy-2.2.25-3.fc5
Comment 3 Daniel Walsh 2007-03-16 03:35:08 UTC 
Closing several old modified bugs