Red Hat Bugzilla – Bug 144513
RFE: Prompt user to relabel samba share
Last modified: 2007-11-30 17:10:57 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8
Description of problem:
It would be nice if system-config-samba asked the user if he/she
would like to relabel shares to samba_share_t if selinux is
turned on, and the shares cannot be accessed by smbd.
>Excellent. Where can I find such information in the future?
>There must be a better way of communicating to the user what
>the needed contexts are instead of looking at the policy
>(which is in binary form on my machine).
>How about integrating some sort of check in
>system-config-samba that asks if it should
>relabel those shares for you when you add them?
>Or some sort of document (for Samba) like the one for HTTP that
>Also, what about home directories?
Sounds like a good idea. Could you submit a bugzilla. Thanks.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. See summary
I should note that samba_share_t is now a customizable file type
in selinux, which means it will survive a restorecon.
What's the status of this bug?
This is not as easy as it seems. What happens if a labeled part of
the system wants to be shared via samba. IE I want to share /var/log.
I don't want to relabel that samba_share_t.
Well, if you don't relabel it, it won't work properly.
Maybe the user should be warned if relabeling from a system
I was interested in a way to autogenerate mixed types on the fly
that merge access rules. Someone wrote a script for that on the
selinux list, but the discussion didn't go anywhere from there.
Is this still an issue and is it solvable in s-c-samba?
Yes the place to solve this is s-c-samba.
Basically if you create a new directory tree that you wish to share via samba
(Not Home Directory or existing files, you should label it samba_share_t.)
Might not be as big a problem since setroubleshoot tells the user the same thing.
Is this type consistent throughout all the policies we offer (not only the one
we support, i.e. targeted)?
Yes, the problem is s-c-samba figuring out whether to relabel the directory tree
or not. I am thinking we may want to punt on this and allow setroubleshoot to
handle it. Or at most advise them of what SELinux would require.
You can look at man selinux_samba for a good definition of what SELinux will do