Description of problem: I have an nfs-mounted directory exported via Samba. SELinux boolean samba_share_nfs is on. Regular files and directories are exported OK. But symlinks and FIFOs are not visible through Samba. The following denials are logged in audit log: type=AVC msg=audit(1192631695.305:14032): avc: denied { getattr } for pid=295 92 comm="smbd" name="fifo" dev=0:17 ino=2474040 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=fifo_file type=AVC msg=audit(1192631695.305:14033): avc: denied { read } for pid=29592 comm="smbd" name="customers" dev=0:17 ino=2474374 scontext=root:system_r:smbd_t: s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file When SELinux is in permissive mode these files are visible and accessible through Samba. Version-Release number of selected component (if applicable): selinux-policy-2.6.4-48.fc7 selinux-policy-targeted-2.6.4-48.fc7 How reproducible: Always Steps to Reproduce: 1. Mount a directory via NFS 2. Export this directory via Samba 3. Create a symlink or a fifo in this directory 4. Try to access the directory from a Samba client (e.g. from Windows) Actual results: Symlinks and fifos are not visible to Samba clients Expected results: Symlinks and fifos are visible to Samba clients as regular files Additional info: There's the following code in samba.te: # Support Samba sharing of NFS mount points tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) ') Is there a reason why fs_manage_nfs_symlinks, fs_manage_nfs_named_pipes, fs_manage_nfs_named_sockets are not specified here?
Well theoretically no. Does samba allow me to create pipes, sockets, or symlinks? Or should we just allow it to getattr, read them so the remote machine can see them.
I don't think Samba allows to create pipes, sockets or symlinks. But once they are there (created on the Linux machine directly), I think Samba should show them. It may be useful to use a symlink on a Samba share as shortcut to some other file. I fact I do use symlinks on a Samba share for such purpose.
Fixed in selinux-policy-3.0.8-25
This is for F8, right? What about F7?
selinux-policy-2.6.4-49
*** This bug has been marked as a duplicate of 335621 ***