When accessing a samba share from windows, whether as a mapped network drive or via an explorer path, 'smbd-notifyd' tries to establish a watch on the given folder. For content labeled as samba_share_t, this action is allowed because smbd_t has the watch capability on the directory: $> sesearch -s smbd_t -t samba_share_t -A -c dir -p watch >> allow smbd_t samba_share_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink *watch* watch_reads write }; However when the folder is labeled user_home_dir_t, this action is NOT allowed even with the "samba_enable_home_dirs" boolean set: $> sesearch -b samba_enable_home_dirs -c dir -A >> allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True The boolean does enable watch access on things *inside* the home folder via user_home_type:dir, but not the home folder itself. This causes an avc denial every time a home folder is accessed via windows, for example as a mapped network drive. The avc error looks like this: type=AVC msg=audit(1684928501.531:785667): avc: denied { watch } for pid=954413 comm="smbd-notifyd" path="/home/matt" dev="zfs" ino=34 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 I do not understand the rationale for why "samba_enable_home_dirs" boolean does not allow this, but labeling something as samba_share_t does allow it Reproducible: Always Steps to Reproduce: 1. Configure samba to share the /home directory 2. setsebool -P samba_enable_home_dirs 1 3. Access the home directory via \\samba-server\home-matt (or whatever) from windows Actual Results: smbd-notifyd is denied watch access on home directory path (labeled as user_home_dir_t) Expected Results: No avc denial occurs The top setroubleshootd result suggests this: > ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** > > If you want to allow samba to export all rw > Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean. > > Do > setsebool -P samba_export_all_rw 1 However I do not see why I should have to do that to enable watch access on the home directory, when home directory sharing already has a dedicated boolean "samba_enable_home_dirs"
(note this is with selinux-policy-38.12-1.fc38.noarch)
FEDORA-2024-c92737ccc0 (selinux-policy-38.33-1.fc38) has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c92737ccc0
FEDORA-2024-c92737ccc0 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c92737ccc0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c92737ccc0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-c92737ccc0 (selinux-policy-38.33-1.fc38) has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.