Bug 337581

Summary: SELinux prevents samba from reading symlinks and FIFOs over NFS
Product: [Fedora] Fedora Reporter: Leonid Zeitlin <lz>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-18 21:30:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Leonid Zeitlin 2007-10-18 09:32:12 UTC 
Description of problem:
I have an nfs-mounted directory exported via Samba. SELinux boolean 
samba_share_nfs is on. Regular files and directories are exported OK. But 
symlinks and FIFOs are not visible through Samba. The following denials are 
logged in audit log:

type=AVC msg=audit(1192631695.305:14032): avc:  denied  { getattr } for  pid=295
92 comm="smbd" name="fifo" dev=0:17 ino=2474040 scontext=root:system_r:smbd_t:s0
 tcontext=system_u:object_r:nfs_t:s0 tclass=fifo_file

type=AVC msg=audit(1192631695.305:14033): avc:  denied  { read } for  pid=29592
comm="smbd" name="customers" dev=0:17 ino=2474374 scontext=root:system_r:smbd_t:
s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file

When SELinux is in permissive mode these files are visible and accessible 
through Samba.

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-48.fc7
selinux-policy-targeted-2.6.4-48.fc7

How reproducible:
Always

Steps to Reproduce:
1. Mount a directory via NFS
2. Export this directory via Samba
3. Create a symlink or a fifo in this directory
4. Try to access the directory from a Samba client (e.g. from Windows)
  
Actual results:
Symlinks and fifos are not visible to Samba clients

Expected results:
Symlinks and fifos are visible to Samba clients as regular files


Additional info:
There's the following code in samba.te:

# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
        fs_manage_nfs_dirs(smbd_t)
        fs_manage_nfs_files(smbd_t)
')

Is there a reason why fs_manage_nfs_symlinks, fs_manage_nfs_named_pipes, 
fs_manage_nfs_named_sockets are not specified here?
Comment 1 Daniel Walsh 2007-10-18 14:23:17 UTC 
Well theoretically no.  

Does samba allow me to create pipes, sockets, or symlinks?

Or should we just allow it to getattr, read them so the remote machine can see them.
Comment 2 Leonid Zeitlin 2007-10-18 14:55:04 UTC 
I don't think Samba allows to create pipes, sockets or symlinks. But once they 
are there (created on the Linux machine directly), I think Samba should show 
them. It may be useful to use a symlink on a Samba share as shortcut to some 
other file. I fact I do use symlinks on a Samba share for such purpose.
Comment 3 Daniel Walsh 2007-10-18 20:00:54 UTC 
Fixed in selinux-policy-3.0.8-25
Comment 4 Leonid Zeitlin 2007-10-18 20:15:57 UTC 
This is for F8, right? What about F7?
Comment 5 Daniel Walsh 2007-10-18 21:29:10 UTC 
selinux-policy-2.6.4-49
Comment 6 Daniel Walsh 2007-10-18 21:30:03 UTC 

*** This bug has been marked as a duplicate of 335621 ***