Bug 337581
| Summary: | SELinux prevents samba from reading symlinks and FIFOs over NFS | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Leonid Zeitlin <lz> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-10-18 21:30:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Well theoretically no. Does samba allow me to create pipes, sockets, or symlinks? Or should we just allow it to getattr, read them so the remote machine can see them. I don't think Samba allows to create pipes, sockets or symlinks. But once they are there (created on the Linux machine directly), I think Samba should show them. It may be useful to use a symlink on a Samba share as shortcut to some other file. I fact I do use symlinks on a Samba share for such purpose. Fixed in selinux-policy-3.0.8-25 This is for F8, right? What about F7? selinux-policy-2.6.4-49 |
Description of problem: I have an nfs-mounted directory exported via Samba. SELinux boolean samba_share_nfs is on. Regular files and directories are exported OK. But symlinks and FIFOs are not visible through Samba. The following denials are logged in audit log: type=AVC msg=audit(1192631695.305:14032): avc: denied { getattr } for pid=295 92 comm="smbd" name="fifo" dev=0:17 ino=2474040 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=fifo_file type=AVC msg=audit(1192631695.305:14033): avc: denied { read } for pid=29592 comm="smbd" name="customers" dev=0:17 ino=2474374 scontext=root:system_r:smbd_t: s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file When SELinux is in permissive mode these files are visible and accessible through Samba. Version-Release number of selected component (if applicable): selinux-policy-2.6.4-48.fc7 selinux-policy-targeted-2.6.4-48.fc7 How reproducible: Always Steps to Reproduce: 1. Mount a directory via NFS 2. Export this directory via Samba 3. Create a symlink or a fifo in this directory 4. Try to access the directory from a Samba client (e.g. from Windows) Actual results: Symlinks and fifos are not visible to Samba clients Expected results: Symlinks and fifos are visible to Samba clients as regular files Additional info: There's the following code in samba.te: # Support Samba sharing of NFS mount points tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) ') Is there a reason why fs_manage_nfs_symlinks, fs_manage_nfs_named_pipes, fs_manage_nfs_named_sockets are not specified here?