| Summary: | SELinux prevents smbd (smbd_t) from setattr access on the home directory (user_home_dir_t) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Phil Anderson <pza> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dwalsh, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-01 08:09:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
# sesearch -s smbd_t -t user_home_dir_t -c dir -p setattr --allow -C
Found 1 semantic av rules:
DT allow smbd_t user_home_dir_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ samba_export_all_rw ]
#
The access is allowed if samba_export_all_rw boolean is enabled. You can use it as workaround if you understand that the boolean allows other accesses too.
# semanage boolean -l | grep samba_export_all_rw
samba_export_all_rw -> off Allow samba to share any file/directory read/write.
#
What is "bursar"? Is it your user? Or is it a subdirectory in /home/<username>/ It is a directory. In this case you will need to run the restorecon command too. # restorecon -R -v /home/<username> # setsebool -P samba_enable_home_dirs 1 |
Description of problem: Even with samba_enable_home_dirs enabled, Samba is unable to set attributes on files: type=AVC msg=audit(1327966909.464:33529): avc: denied { setattr } for pid=13430 comm="smbd" name="bursar" dev=dm-3 ino=3932161 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir I haven't been able to confirm as I don't have a test environment, but I suspect this may only occur when extended attributes is enabled in smb.conf: ea support = yes Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-126.el6_2.4.noarch setroubleshootd suggests enabling samba_export_all_rw, but this is too much. setattr should be included in samba_enable_home_dirs.