Bug 144513 - RFE: Prompt user to relabel samba share
RFE: Prompt user to relabel samba share
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: system-config-samba (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nils Philippsen
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-07 16:18 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-27 19:46:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2005-01-07 16:18:49 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
It would be nice if system-config-samba asked the user if he/she
would like to relabel shares to samba_share_t if selinux is 
turned on, and the shares cannot be accessed by smbd.

dwalsh@redhat.com:

>Excellent. Where can I find such information in the future?
>There must be a better way of communicating to the user what 
>the needed contexts are instead of looking at the policy
>(which is in binary form on my machine).
>How about integrating some sort of check in 
>system-config-samba that asks if it should
>relabel those shares for you when you add them?
>
>Or some sort of document (for Samba) like the one for HTTP that 
>kwade@redhat.com mentioned.
>
>Also, what about home directories?
>
>  
>
Sounds like a good idea.  Could you submit a bugzilla.  Thanks.


Version-Release number of selected component (if applicable):
N/A

How reproducible:
Always

Steps to Reproduce:
1. See summary
    

Additional info:
Comment 1 Ivan Gyurdiev 2005-02-10 00:05:42 EST
I should note that samba_share_t is now a customizable file type
in selinux, which means it will survive a restorecon.

What's the status of this bug?
Comment 2 Daniel Walsh 2005-02-10 09:54:31 EST
This is not as easy as it seems.  What happens if a labeled part of
the system wants to be shared via samba.  IE I want to share /var/log.
 I don't want to relabel that samba_share_t.

Dan
Comment 3 Ivan Gyurdiev 2005-02-10 12:27:59 EST
Well, if you don't relabel it, it won't work properly.
Maybe the user should be warned if relabeling from a system
context. 

I was interested in a way to autogenerate mixed types on the fly
that merge access rules. Someone wrote a script for that on the 
selinux list, but the discussion didn't go anywhere from there.
Comment 4 Nils Philippsen 2006-09-19 09:37:38 EDT
Is this still an issue and is it solvable in s-c-samba?
Comment 5 Daniel Walsh 2006-09-19 10:22:55 EDT
Yes the place to solve this is s-c-samba.

Basically if you create a new directory tree that you wish to share via samba
(Not Home Directory or existing files, you should label it samba_share_t.)

Might not be as big a problem since setroubleshoot tells the user the same thing.

Dan
Comment 6 Nils Philippsen 2006-09-20 04:23:18 EDT
Is this type consistent throughout all the policies we offer (not only the one
we support, i.e. targeted)?
Comment 7 Daniel Walsh 2006-09-20 08:59:36 EDT
Yes, the problem is s-c-samba figuring out whether to relabel the directory tree
or not.  I am thinking we may want to punt on this and allow setroubleshoot to
handle it.  Or at most advise them of what SELinux would require.

You can look at man selinux_samba for a good definition of what SELinux will do
with samba.

Note You need to log in before you can comment on or make changes to this bug.