Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 144513 - RFE: Prompt user to relabel samba share
RFE: Prompt user to relabel samba share
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: system-config-samba (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nils Philippsen
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-07 16:18 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-27 19:46:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Ivan Gyurdiev 2005-01-07 16:18:49 EST 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
It would be nice if system-config-samba asked the user if he/she
would like to relabel shares to samba_share_t if selinux is 
turned on, and the shares cannot be accessed by smbd.

dwalsh@redhat.com:

>Excellent. Where can I find such information in the future?
>There must be a better way of communicating to the user what 
>the needed contexts are instead of looking at the policy
>(which is in binary form on my machine).
>How about integrating some sort of check in 
>system-config-samba that asks if it should
>relabel those shares for you when you add them?
>
>Or some sort of document (for Samba) like the one for HTTP that 
>kwade@redhat.com mentioned.
>
>Also, what about home directories?
>
>  
>
Sounds like a good idea.  Could you submit a bugzilla.  Thanks.


Version-Release number of selected component (if applicable):
N/A

How reproducible:
Always

Steps to Reproduce:
1. See summary
    

Additional info:
Comment 1 Ivan Gyurdiev 2005-02-10 00:05:42 EST 
I should note that samba_share_t is now a customizable file type
in selinux, which means it will survive a restorecon.

What's the status of this bug?
Comment 2 Daniel Walsh 2005-02-10 09:54:31 EST 
This is not as easy as it seems.  What happens if a labeled part of
the system wants to be shared via samba.  IE I want to share /var/log.
 I don't want to relabel that samba_share_t.

Dan
Comment 3 Ivan Gyurdiev 2005-02-10 12:27:59 EST 
Well, if you don't relabel it, it won't work properly.
Maybe the user should be warned if relabeling from a system
context. 

I was interested in a way to autogenerate mixed types on the fly
that merge access rules. Someone wrote a script for that on the 
selinux list, but the discussion didn't go anywhere from there.
Comment 4 Nils Philippsen 2006-09-19 09:37:38 EDT 
Is this still an issue and is it solvable in s-c-samba?
Comment 5 Daniel Walsh 2006-09-19 10:22:55 EDT 
Yes the place to solve this is s-c-samba.

Basically if you create a new directory tree that you wish to share via samba
(Not Home Directory or existing files, you should label it samba_share_t.)

Might not be as big a problem since setroubleshoot tells the user the same thing.

Dan
Comment 6 Nils Philippsen 2006-09-20 04:23:18 EDT 
Is this type consistent throughout all the policies we offer (not only the one
we support, i.e. targeted)?
Comment 7 Daniel Walsh 2006-09-20 08:59:36 EDT 
Yes, the problem is s-c-samba figuring out whether to relabel the directory tree
or not.  I am thinking we may want to punt on this and allow setroubleshoot to
handle it.  Or at most advise them of what SELinux would require.

You can look at man selinux_samba for a good definition of what SELinux will do
with samba.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.