Bug 144513 – RFE: Prompt user to relabel samba share

Bug 144513 - RFE: Prompt user to relabel samba share

Summary:	RFE: Prompt user to relabel samba share

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	system-config-samba (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Nils Philippsen
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	FutureFeature

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-01-07 16:18 EST by Ivan Gyurdiev
Modified:	2007-11-30 17:10 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-09-27 19:46:34 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Ivan Gyurdiev 2005-01-07 16:18:49 EST

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
It would be nice if system-config-samba asked the user if he/she
would like to relabel shares to samba_share_t if selinux is 
turned on, and the shares cannot be accessed by smbd.

dwalsh@redhat.com:

>Excellent. Where can I find such information in the future?
>There must be a better way of communicating to the user what 
>the needed contexts are instead of looking at the policy
>(which is in binary form on my machine).
>How about integrating some sort of check in 
>system-config-samba that asks if it should
>relabel those shares for you when you add them?
>
>Or some sort of document (for Samba) like the one for HTTP that 
>kwade@redhat.com mentioned.
>
>Also, what about home directories?
>
>  
>
Sounds like a good idea.  Could you submit a bugzilla.  Thanks.


Version-Release number of selected component (if applicable):
N/A

How reproducible:
Always

Steps to Reproduce:
1. See summary
    

Additional info:

Comment 1 Ivan Gyurdiev 2005-02-10 00:05:42 EST

I should note that samba_share_t is now a customizable file type
in selinux, which means it will survive a restorecon.

What's the status of this bug?

Comment 2 Daniel Walsh 2005-02-10 09:54:31 EST

This is not as easy as it seems.  What happens if a labeled part of
the system wants to be shared via samba.  IE I want to share /var/log.
 I don't want to relabel that samba_share_t.

Dan

Comment 3 Ivan Gyurdiev 2005-02-10 12:27:59 EST

Well, if you don't relabel it, it won't work properly.
Maybe the user should be warned if relabeling from a system
context. 

I was interested in a way to autogenerate mixed types on the fly
that merge access rules. Someone wrote a script for that on the 
selinux list, but the discussion didn't go anywhere from there.

Comment 4 Nils Philippsen 2006-09-19 09:37:38 EDT

Is this still an issue and is it solvable in s-c-samba?

Comment 5 Daniel Walsh 2006-09-19 10:22:55 EDT

Yes the place to solve this is s-c-samba.

Basically if you create a new directory tree that you wish to share via samba
(Not Home Directory or existing files, you should label it samba_share_t.)

Might not be as big a problem since setroubleshoot tells the user the same thing.

Dan

Comment 6 Nils Philippsen 2006-09-20 04:23:18 EDT

Is this type consistent throughout all the policies we offer (not only the one
we support, i.e. targeted)?

Comment 7 Daniel Walsh 2006-09-20 08:59:36 EDT

Yes, the problem is s-c-samba figuring out whether to relabel the directory tree
or not.  I am thinking we may want to punt on this and allow setroubleshoot to
handle it.  Or at most advise them of what SELinux would require.

You can look at man selinux_samba for a good definition of what SELinux will do
with samba.

Note You need to log in before you can comment on or make changes to this bug.