Description of problem: While not the best configuration, we share some nfs mounts via samba. I see the following avc denied messages: time->Wed Oct 5 10:38:47 2005 type=PATH msg=audit(1128530327.948:62045): item=0 name="turb8/rbs/radar03Spectra" flags=103 inode=831810 dev=00:1d mode=040771 ouid=675 ogid=1001 rdev=00:00 type=CWD msg=audit(1128530327.948:62045): cwd="/data" type=SYSCALL msg=audit(1128530327.948:62045): arch=40000003 syscall=5 success=yes exit=27 a0=946c498 a1=18800 a2=0 a3=9405ee0 items=1 pid=10164 auid=4294967295 uid=675 gid=0 euid=675 suid=0 fsuid=675 egid=1001 sgid=1001 fsgid=1001 comm="smbd" exe="/usr/sbin/smbd" type=AVC msg=audit(1128530327.948:62045): avc: denied { read } for pid=10164 comm="smbd" name="radar03Spectra" dev=0:1d ino=831810 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:nfs_t tclass=dir Perhaps we need some combination of use_nfs_home_dirs and use_samba_home_dirs, though in this particular case the directories are not "home dirs" per se, just disks on remote filesevers that people store their data on. Maybe a samba_share_nfs boolean? Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.3
Can you use the context=system_u:object_r:samba_share_t on the nfs mount? mount -o context=system_u:object_r:samba_share_t server:nfs /mnt/nfs
Is this going to conflict with other possible uses of the nfs mounted directories? Samba is not the primary mode of access.
Also, these are done via automount NIS maps shared on all machines, but only on exports via samba. Not sure I want the context to be samba_share_t on all machines...
Yes, This is not a good solution for you. You might want to add r_dir_file(smbd_t, nfs_t) or rw_dir_file(smbd_t, nfs_t) to a local.te file and rebuild policy sources. Then we can bring up a discussion on the general list if this functionality should get into the general policy.
Another thought might be to mount as system_u:object_r:user_home_t since I'm already using use_samba_home_dirs.
Fixed in selinux-policy-*-1.27.1-2.6
Really? What was the fix? I don't see any reference to smbd_t and nfs_t in policy.conf.
Sorry accidenly grabbed the wrong bugzilla for a global change. Did the user_home_t mount work? Dan
Well, it breaks kde logins if I mount the nfs home dirs this way: type=AVC msg=audit(1129664841.283:12): avc: denied { associate } for pid=2828 comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t tclass=filesystem type=AVC msg=audit(1129664846.151:13): avc: denied { associate } for pid=2936 comm="mktemp" name="KDE.startkde.el2936" scontext=user_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t tclass=filesystem type=AVC msg=audit(1129664846.487:16): avc: denied { associate } for pid=2776 comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t tclass=filesystem type=AVC msg=audit(1129664858.984:22): avc: denied { associate } for pid=2981 comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t tclass=filesystem type=AVC msg=audit(1129664862.228:23): avc: denied { associate } for pid=3086 comm="mktemp" name="KDE.startkde.ml3086" scontext=user_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t tclass=filesystem type=AVC msg=audit(1129664862.552:26): avc: denied { associate } for pid=2943 comm="kdm" name=".Xauthority-c" scontext=system_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t tclass=filesystem haven't tested with samba shares yet...
It also breaks a backup process where I use rsync to backup to an nfs mounted directory: type=AVC msg=audit(1129717494.234:867): avc: denied { associate } for pid=23019 comm="rsync" name=".yp.colorado-research.com.2.x2RrHD" scontext=system_u:object_r:user_home_t tcontext=system_u:object_r:user_home_t tclass=filesystem
Closing as these have been marked as modified, for a while. Feel free to reopen if not fixed