Bug 337581 – SELinux prevents samba from reading symlinks and FIFOs over NFS

Bug 337581 - SELinux prevents samba from reading symlinks and FIFOs over NFS

Summary:	SELinux prevents samba from reading symlinks and FIFOs over NFS

Status:	CLOSED DUPLICATE of bug 335621

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-10-18 05:32 EDT by Leonid Zeitlin
Modified:	2007-11-30 17:12 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-10-18 17:30:03 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Leonid Zeitlin 2007-10-18 05:32:12 EDT

Description of problem:
I have an nfs-mounted directory exported via Samba. SELinux boolean 
samba_share_nfs is on. Regular files and directories are exported OK. But 
symlinks and FIFOs are not visible through Samba. The following denials are 
logged in audit log:

type=AVC msg=audit(1192631695.305:14032): avc:  denied  { getattr } for  pid=295
92 comm="smbd" name="fifo" dev=0:17 ino=2474040 scontext=root:system_r:smbd_t:s0
 tcontext=system_u:object_r:nfs_t:s0 tclass=fifo_file

type=AVC msg=audit(1192631695.305:14033): avc:  denied  { read } for  pid=29592
comm="smbd" name="customers" dev=0:17 ino=2474374 scontext=root:system_r:smbd_t:
s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file

When SELinux is in permissive mode these files are visible and accessible 
through Samba.

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-48.fc7
selinux-policy-targeted-2.6.4-48.fc7

How reproducible:
Always

Steps to Reproduce:
1. Mount a directory via NFS
2. Export this directory via Samba
3. Create a symlink or a fifo in this directory
4. Try to access the directory from a Samba client (e.g. from Windows)
  
Actual results:
Symlinks and fifos are not visible to Samba clients

Expected results:
Symlinks and fifos are visible to Samba clients as regular files


Additional info:
There's the following code in samba.te:

# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
        fs_manage_nfs_dirs(smbd_t)
        fs_manage_nfs_files(smbd_t)
')

Is there a reason why fs_manage_nfs_symlinks, fs_manage_nfs_named_pipes, 
fs_manage_nfs_named_sockets are not specified here?

Comment 1 Daniel Walsh 2007-10-18 10:23:17 EDT

Well theoretically no.  

Does samba allow me to create pipes, sockets, or symlinks?

Or should we just allow it to getattr, read them so the remote machine can see them.

Comment 2 Leonid Zeitlin 2007-10-18 10:55:04 EDT

I don't think Samba allows to create pipes, sockets or symlinks. But once they 
are there (created on the Linux machine directly), I think Samba should show 
them. It may be useful to use a symlink on a Samba share as shortcut to some 
other file. I fact I do use symlinks on a Samba share for such purpose.

Comment 3 Daniel Walsh 2007-10-18 16:00:54 EDT

Fixed in selinux-policy-3.0.8-25

Comment 4 Leonid Zeitlin 2007-10-18 16:15:57 EDT

This is for F8, right? What about F7?

Comment 5 Daniel Walsh 2007-10-18 17:29:10 EDT

selinux-policy-2.6.4-49

Comment 6 Daniel Walsh 2007-10-18 17:30:03 EDT


*** This bug has been marked as a duplicate of 335621 ***

Note You need to log in before you can comment on or make changes to this bug.