Bug 236460 - SELinux Samba - files in home directories have wrong user context
SELinux Samba - files in home directories have wrong user context
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-04-14 11:02 EDT by Anthony Messina
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-10 11:14:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2007-04-14 11:02:27 EDT
Description of problem:
When files are created in a Samba home directory (or otherwise), SELinux labels
them with user: root_u instead of user_u

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Create a file/folder via Samba in a Samba share
2. ls -lZ that directory
Actual results:
The user is root_u instead of user_u

Expected results:
I would think that the user should be user_u, not root_u, even though Samba runs
as root.

Additional info:
Comment 1 Daniel Walsh 2007-04-16 11:21:52 EDT
Yes but in order to do this Samba would have to have SELinux knowledge in it. 
For now it does not.  Luckily in Targeted policy this should not be a big problem.

Comment 2 Simo Sorce 2007-08-24 09:33:32 EDT
Please don't mess with status tags :)
Reassigning to selinux maintainer
Comment 3 Daniel Walsh 2007-08-24 09:55:12 EDT
Actually ordinarily they should be created as system_u if samba was started at
bootup.  If someone logs in as root and does a system samba restart, it will
give the files root as the user.  If the user logs in as a normal user and su to
root and restarts the samba daemon, the files will get created with what ever
SELinux user the user logged in as.

So we can either leave this as is or change samba to ask SELinux what the users
default SELinux user account is and change the files to the appropriate SELinux
context.  In the long run this is probably the best course of action but it
makes Samba a SELinux aware application.  Samba could then also ask the system
if this remote user is capable of rwx files directories of this context.   For
example, Samba is allowed to rwx files in all users directories, but dwalsh
might be a guest user and simo a full user, SELinux would not allow dwalsh to
create a file in simo directory even if the directory had 777 permissions.  But
through samba it would be allowed.

So this will not be fixes in FC6 or Fedora 7, but could be looked at in the future.

Of course this work would be best done by the Samba Developers.
Comment 4 Anthony Messina 2007-08-24 11:03:15 EDT
(In reply to comment #2)
> Please don't mess with status tags :)
> Reassigning to selinux maintainer

sorry about that.  i was trying to clean up to let you know i don't have an
issue with this anymore since it doesn't affect function, as dwalsh pointed out

Note You need to log in before you can comment on or make changes to this bug.