Bug 236460

Summary: SELinux Samba - files in home directories have wrong user context
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-10 15:14:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2007-04-14 15:02:27 UTC 
Description of problem:
When files are created in a Samba home directory (or otherwise), SELinux labels
them with user: root_u instead of user_u

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-54.fc6
samba-3.0.24-4.fc6

How reproducible:
Every time

Steps to Reproduce:
1. Create a file/folder via Samba in a Samba share
2. ls -lZ that directory
3.
  
Actual results:
The user is root_u instead of user_u

Expected results:
I would think that the user should be user_u, not root_u, even though Samba runs
as root.

Additional info:
Comment 1 Daniel Walsh 2007-04-16 15:21:52 UTC 
Yes but in order to do this Samba would have to have SELinux knowledge in it. 
For now it does not.  Luckily in Targeted policy this should not be a big problem.
Comment 2 Simo Sorce 2007-08-24 13:33:32 UTC 
Please don't mess with status tags :)
Reassigning to selinux maintainer
Comment 3 Daniel Walsh 2007-08-24 13:55:12 UTC 
Actually ordinarily they should be created as system_u if samba was started at
bootup.  If someone logs in as root and does a system samba restart, it will
give the files root as the user.  If the user logs in as a normal user and su to
root and restarts the samba daemon, the files will get created with what ever
SELinux user the user logged in as.

So we can either leave this as is or change samba to ask SELinux what the users
default SELinux user account is and change the files to the appropriate SELinux
context.  In the long run this is probably the best course of action but it
makes Samba a SELinux aware application.  Samba could then also ask the system
if this remote user is capable of rwx files directories of this context.   For
example, Samba is allowed to rwx files in all users directories, but dwalsh
might be a guest user and simo a full user, SELinux would not allow dwalsh to
create a file in simo directory even if the directory had 777 permissions.  But
through samba it would be allowed.

So this will not be fixes in FC6 or Fedora 7, but could be looked at in the future.

Of course this work would be best done by the Samba Developers.
Comment 4 Anthony Messina 2007-08-24 15:03:15 UTC 
(In reply to comment #2)
> Please don't mess with status tags :)
> Reassigning to selinux maintainer

sorry about that.  i was trying to clean up to let you know i don't have an
issue with this anymore since it doesn't affect function, as dwalsh pointed out
previously