Bug 468315
Summary: | Wrong suggestion when export is labeled default_t type | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Murray McAllister <mmcallis> | ||||
Component: | setroubleshoot | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 10 | CC: | dwalsh, jdennis, mgrepl, vdanen | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-09-06 07:15:03 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This is actually two bugs. setsebool -P samba_export_all_ro=1 Should have worked. Fixed in selinux-policy-3.5.13-15 Plugin should have suggested the relabel Fixed in setroubleshoot-plugins-2.0.11-1. This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping When export is labeled with the default_t type, and samba_export_all_ro is on, no denials occur when mounting and viewing files. When smb.conf is configured to allow write access, export labeled default_t, and samba_export_all_ro Boolean is on, attempting to write causes a denial and suggests labeling the export with samba_share_t type. $ rpm -q selinux-policy setroubleshoot-plugins selinux-policy-3.5.13-44.fc10.noarch setroubleshoot-plugins-2.0.12-1.fc10.noarch |
Created attachment 321366 [details] mount tests from Rawhide and F9, and denials. I did not know the correct component to assign this to, sorry. Description of problem: I have: * "samba_export_all_ro --> on" * export directory and local mount point use the "default_t" type (before mounting the export) * mount reports the file system mounted: "//localhost/test on /test type cifs (rw,mand)" Accessing the share (ls) causes an "ls: reading directory .: Permission denied" error, and the following is logged to "/var/log/messages": localhost setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote clients. For complete SELinux messages. run sealert -l 87bb086e-3b17-46f3-ad8f-6ee7365378f4 This suggests using "setsebool -P samba_export_all_ro=1" to resolve the issue (which is already on). Version-Release number of selected component (if applicable): setroubleshoot-plugins-2.0.9-1.fc10.noarch setroubleshoot-server-2.0.12-1.fc10.noarch policycoreutils-2.0.57-4.fc10.i386 selinux-policy-3.5.13-4.fc10.noarch libselinux-utils-2.0.73-1.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 selinux-policy-targeted-3.5.13-4.fc10.noarch libselinux-2.0.73-1.fc10.i386 kernel-2.6.27.3-39.fc10.i686 samba-winbind-3.2.4-0.22.fc10.i386 samba-client-3.2.4-0.22.fc10.i386 samba-3.2.4-0.22.fc10.i386 samba-common-3.2.4-0.22.fc10.i386 rpcbind-0.1.6-2.fc10.i386 How reproducible: Always. Steps to Reproduce: 1. See attached. Actual results: Told to use "setsebool -P samba_export_all_ro=1" Expected results: Told to relabel with samba_share_t (same as F9) Additional info: Rawhide denial: Plugin Name samba_export_all_ro F9 denial: Plugin Name samba_share Maybe this is the problem? All other Samba booleans (getsebool -a | grep samba) except for "samba_run_unconfined" are off. See attached for tests.