337581 – SELinux prevents samba from reading symlinks and FIFOs over NFS

Bug 337581 - SELinux prevents samba from reading symlinks and FIFOs over NFS

Summary: SELinux prevents samba from reading symlinks and FIFOs over NFS

Keywords:
Status:	CLOSED DUPLICATE of bug 335621
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-10-18 09:32 UTC by Leonid Zeitlin
Modified:	2007-11-30 22:12 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-10-18 21:30:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Leonid Zeitlin 2007-10-18 09:32:12 UTC

Description of problem:
I have an nfs-mounted directory exported via Samba. SELinux boolean 
samba_share_nfs is on. Regular files and directories are exported OK. But 
symlinks and FIFOs are not visible through Samba. The following denials are 
logged in audit log:

type=AVC msg=audit(1192631695.305:14032): avc:  denied  { getattr } for  pid=295
92 comm="smbd" name="fifo" dev=0:17 ino=2474040 scontext=root:system_r:smbd_t:s0
 tcontext=system_u:object_r:nfs_t:s0 tclass=fifo_file

type=AVC msg=audit(1192631695.305:14033): avc:  denied  { read } for  pid=29592
comm="smbd" name="customers" dev=0:17 ino=2474374 scontext=root:system_r:smbd_t:
s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file

When SELinux is in permissive mode these files are visible and accessible 
through Samba.

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-48.fc7
selinux-policy-targeted-2.6.4-48.fc7

How reproducible:
Always

Steps to Reproduce:
1. Mount a directory via NFS
2. Export this directory via Samba
3. Create a symlink or a fifo in this directory
4. Try to access the directory from a Samba client (e.g. from Windows)
  
Actual results:
Symlinks and fifos are not visible to Samba clients

Expected results:
Symlinks and fifos are visible to Samba clients as regular files


Additional info:
There's the following code in samba.te:

# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
        fs_manage_nfs_dirs(smbd_t)
        fs_manage_nfs_files(smbd_t)
')

Is there a reason why fs_manage_nfs_symlinks, fs_manage_nfs_named_pipes, 
fs_manage_nfs_named_sockets are not specified here?

Comment 1 Daniel Walsh 2007-10-18 14:23:17 UTC

Well theoretically no.  

Does samba allow me to create pipes, sockets, or symlinks?

Or should we just allow it to getattr, read them so the remote machine can see them.

Comment 2 Leonid Zeitlin 2007-10-18 14:55:04 UTC

I don't think Samba allows to create pipes, sockets or symlinks. But once they 
are there (created on the Linux machine directly), I think Samba should show 
them. It may be useful to use a symlink on a Samba share as shortcut to some 
other file. I fact I do use symlinks on a Samba share for such purpose.

Comment 3 Daniel Walsh 2007-10-18 20:00:54 UTC

Fixed in selinux-policy-3.0.8-25

Comment 4 Leonid Zeitlin 2007-10-18 20:15:57 UTC

This is for F8, right? What about F7?

Comment 5 Daniel Walsh 2007-10-18 21:29:10 UTC

selinux-policy-2.6.4-49

Comment 6 Daniel Walsh 2007-10-18 21:30:03 UTC


*** This bug has been marked as a duplicate of 335621 ***

Note You need to log in before you can comment on or make changes to this bug.