Bug 423811
Summary: | SELinux should allow access to Samba shares from any internal client. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dick Gingras <dgingras> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-12-13 19:42:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dick Gingras
2007-12-13 18:20:59 UTC
The hole idea of SELinux is not to trust the application. So doing something that samba will enforce is not good enough. SELinux is based on rules or what the daemon is allowed to do based on the security constraints of the machine. SELinux currently does not have a any idea of what the routing rules of the machine are. THere is some effort going into allowing the labeling of packets as they flow through the kernel but this is not supported yet. That leaves an untenable situation - you must turn on samba_export_all_ro to allow access to Samba shares from a virtual machine, which also allows access from ANY client, even those outside the LAN. An inexperienced user/admin will likely turn on the sebool without considering further implications, potentially leaving a huge security hole. Seems to me the samba_export sebool should be split into two, one for "local" and one for "remote" share access, with appropriate documentation to give the user a clue about the implications of each. Well not really. SELinux is a layer on top of other security including samba itself. You also have firewall rules. So You can prevent the rest of the world from reading any samba shares by turning off samba ports from non local networks. There is not vulnerability here other then the equivalent of selinux being disabled or permissive mode. From SELinux point of view, A network connection comes into smbd/nmbd and they attempt to satisfy the action. Either selinux allows smbd/nmbd to read the share or not. The job of protecting the network access is the firewall/iptables. |