Bug 2209661 - samba_enable_home_dirs should enable watch access on user_home_dir_t, but doesn't
Summary: samba_enable_home_dirs should enable watch access on user_home_dir_t, but doe...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-24 12:08 UTC by Matt Kinni
Modified: 2024-05-10 01:34 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-38.33-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-05-10 01:34:01 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matt Kinni 2023-05-24 12:08:06 UTC
When accessing a samba share from windows, whether as a mapped network drive or via an explorer path, 'smbd-notifyd' tries to establish a watch on the given folder.

For content labeled as samba_share_t, this action is allowed because smbd_t has the watch capability on the directory:
$> sesearch -s smbd_t -t samba_share_t -A -c dir -p watch
>> allow smbd_t samba_share_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink *watch* watch_reads write };

However when the folder is labeled user_home_dir_t, this action is NOT allowed even with the "samba_enable_home_dirs" boolean set:
$> sesearch -b samba_enable_home_dirs -c dir -A
>> allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True

The boolean does enable watch access on things *inside* the home folder via user_home_type:dir, but not the home folder itself.  This causes an avc denial every time a home folder is accessed via windows, for example as a mapped network drive.

The avc error looks like this:
type=AVC msg=audit(1684928501.531:785667): avc:  denied  { watch } for  pid=954413 comm="smbd-notifyd" path="/home/matt" dev="zfs" ino=34 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1

I do not understand the rationale for why "samba_enable_home_dirs" boolean does not allow this, but labeling something as samba_share_t does allow it


Reproducible: Always

Steps to Reproduce:
1. Configure samba to share the /home directory
2. setsebool -P samba_enable_home_dirs 1
3. Access the home directory via \\samba-server\home-matt (or whatever) from windows
Actual Results:  
smbd-notifyd is denied watch access on home directory path (labeled as user_home_dir_t)

Expected Results:  
No avc denial occurs

The top setroubleshootd result suggests this:

> *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
> 
> If you want to allow samba to export all rw
> Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.
> 
> Do
> setsebool -P samba_export_all_rw 1

However I do not see why I should have to do that to enable watch access on the home directory, when home directory sharing already has a dedicated boolean "samba_enable_home_dirs"

Comment 1 Matt Kinni 2023-05-24 12:09:20 UTC
(note this is with selinux-policy-38.12-1.fc38.noarch)

Comment 2 Fedora Update System 2024-04-24 12:25:56 UTC
FEDORA-2024-c92737ccc0 (selinux-policy-38.33-1.fc38) has been submitted as an update to Fedora 38.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-c92737ccc0

Comment 3 Fedora Update System 2024-04-25 02:29:26 UTC
FEDORA-2024-c92737ccc0 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c92737ccc0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c92737ccc0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2024-05-10 01:34:01 UTC
FEDORA-2024-c92737ccc0 (selinux-policy-38.33-1.fc38) has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.