From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8 Description of problem: It would be nice if system-config-samba asked the user if he/she would like to relabel shares to samba_share_t if selinux is turned on, and the shares cannot be accessed by smbd. dwalsh: >Excellent. Where can I find such information in the future? >There must be a better way of communicating to the user what >the needed contexts are instead of looking at the policy >(which is in binary form on my machine). >How about integrating some sort of check in >system-config-samba that asks if it should >relabel those shares for you when you add them? > >Or some sort of document (for Samba) like the one for HTTP that >kwade mentioned. > >Also, what about home directories? > > > Sounds like a good idea. Could you submit a bugzilla. Thanks. Version-Release number of selected component (if applicable): N/A How reproducible: Always Steps to Reproduce: 1. See summary Additional info:
I should note that samba_share_t is now a customizable file type in selinux, which means it will survive a restorecon. What's the status of this bug?
This is not as easy as it seems. What happens if a labeled part of the system wants to be shared via samba. IE I want to share /var/log. I don't want to relabel that samba_share_t. Dan
Well, if you don't relabel it, it won't work properly. Maybe the user should be warned if relabeling from a system context. I was interested in a way to autogenerate mixed types on the fly that merge access rules. Someone wrote a script for that on the selinux list, but the discussion didn't go anywhere from there.
Is this still an issue and is it solvable in s-c-samba?
Yes the place to solve this is s-c-samba. Basically if you create a new directory tree that you wish to share via samba (Not Home Directory or existing files, you should label it samba_share_t.) Might not be as big a problem since setroubleshoot tells the user the same thing. Dan
Is this type consistent throughout all the policies we offer (not only the one we support, i.e. targeted)?
Yes, the problem is s-c-samba figuring out whether to relabel the directory tree or not. I am thinking we may want to punt on this and allow setroubleshoot to handle it. Or at most advise them of what SELinux would require. You can look at man selinux_samba for a good definition of what SELinux will do with samba.