Bug 144513 - RFE: Prompt user to relabel samba share
Summary: RFE: Prompt user to relabel samba share
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-samba   
(Show other bugs)
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nils Philippsen
QA Contact:
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-07 21:18 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-27 23:46:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Ivan Gyurdiev 2005-01-07 21:18:49 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
It would be nice if system-config-samba asked the user if he/she
would like to relabel shares to samba_share_t if selinux is 
turned on, and the shares cannot be accessed by smbd.

dwalsh@redhat.com:

>Excellent. Where can I find such information in the future?
>There must be a better way of communicating to the user what 
>the needed contexts are instead of looking at the policy
>(which is in binary form on my machine).
>How about integrating some sort of check in 
>system-config-samba that asks if it should
>relabel those shares for you when you add them?
>
>Or some sort of document (for Samba) like the one for HTTP that 
>kwade@redhat.com mentioned.
>
>Also, what about home directories?
>
>  
>
Sounds like a good idea.  Could you submit a bugzilla.  Thanks.


Version-Release number of selected component (if applicable):
N/A

How reproducible:
Always

Steps to Reproduce:
1. See summary
    

Additional info:

Comment 1 Ivan Gyurdiev 2005-02-10 05:05:42 UTC
I should note that samba_share_t is now a customizable file type
in selinux, which means it will survive a restorecon.

What's the status of this bug?


Comment 2 Daniel Walsh 2005-02-10 14:54:31 UTC
This is not as easy as it seems.  What happens if a labeled part of
the system wants to be shared via samba.  IE I want to share /var/log.
 I don't want to relabel that samba_share_t.

Dan

Comment 3 Ivan Gyurdiev 2005-02-10 17:27:59 UTC
Well, if you don't relabel it, it won't work properly.
Maybe the user should be warned if relabeling from a system
context. 

I was interested in a way to autogenerate mixed types on the fly
that merge access rules. Someone wrote a script for that on the 
selinux list, but the discussion didn't go anywhere from there.

Comment 4 Nils Philippsen 2006-09-19 13:37:38 UTC
Is this still an issue and is it solvable in s-c-samba?

Comment 5 Daniel Walsh 2006-09-19 14:22:55 UTC
Yes the place to solve this is s-c-samba.

Basically if you create a new directory tree that you wish to share via samba
(Not Home Directory or existing files, you should label it samba_share_t.)

Might not be as big a problem since setroubleshoot tells the user the same thing.

Dan

Comment 6 Nils Philippsen 2006-09-20 08:23:18 UTC
Is this type consistent throughout all the policies we offer (not only the one
we support, i.e. targeted)?

Comment 7 Daniel Walsh 2006-09-20 12:59:36 UTC
Yes, the problem is s-c-samba figuring out whether to relabel the directory tree
or not.  I am thinking we may want to punt on this and allow setroubleshoot to
handle it.  Or at most advise them of what SELinux would require.

You can look at man selinux_samba for a good definition of what SELinux will do
with samba.


Note You need to log in before you can comment on or make changes to this bug.