Bug 236460
Summary: | SELinux Samba - files in home directories have wrong user context | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, sdsmall |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-09-10 15:14:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anthony Messina
2007-04-14 15:02:27 UTC
Yes but in order to do this Samba would have to have SELinux knowledge in it. For now it does not. Luckily in Targeted policy this should not be a big problem. Please don't mess with status tags :) Reassigning to selinux maintainer Actually ordinarily they should be created as system_u if samba was started at bootup. If someone logs in as root and does a system samba restart, it will give the files root as the user. If the user logs in as a normal user and su to root and restarts the samba daemon, the files will get created with what ever SELinux user the user logged in as. So we can either leave this as is or change samba to ask SELinux what the users default SELinux user account is and change the files to the appropriate SELinux context. In the long run this is probably the best course of action but it makes Samba a SELinux aware application. Samba could then also ask the system if this remote user is capable of rwx files directories of this context. For example, Samba is allowed to rwx files in all users directories, but dwalsh might be a guest user and simo a full user, SELinux would not allow dwalsh to create a file in simo directory even if the directory had 777 permissions. But through samba it would be allowed. So this will not be fixes in FC6 or Fedora 7, but could be looked at in the future. Of course this work would be best done by the Samba Developers. (In reply to comment #2) > Please don't mess with status tags :) > Reassigning to selinux maintainer sorry about that. i was trying to clean up to let you know i don't have an issue with this anymore since it doesn't affect function, as dwalsh pointed out previously |