423811 – SELinux should allow access to Samba shares from any internal client.

Bug 423811 - SELinux should allow access to Samba shares from any internal client.

Summary: SELinux should allow access to Samba shares from any internal client.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-12-13 18:20 UTC by Dick Gingras
Modified:	2007-12-13 20:40 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-12-13 19:42:24 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dick Gingras 2007-12-13 18:20:59 UTC

Description of problem:
SELinux policy complains that a local client on a different local subnet is
accessing files.

Version-Release number of selected component (if applicable):
3.0.8-64.fc8

How reproducible:
Always

Steps to Reproduce:
1. Access a local samba share from a virtual machine that is on a subnet that
has a different non-routable IP Address, eg. VM has 192.168.2.10 and Fedora 8
has 192.169.1.10.

  
Actual results:
Produces error "SELinux is preventing the samba daemon from serving r/o local
files to remote clients."

Expected results:
Should not complain about access from any non-routable IP Address since by
definition, they are local clients.

Additional info:
Presumably, the SE Bool samba_export_all_ro is intended to allow access to samba
shares to external clients and all internal clients should have access. If
internal clients should be blocked, that can be done via the Samba configuration.

Comment 1 Daniel Walsh 2007-12-13 19:42:24 UTC

The hole idea of SELinux is not to trust the application.  So doing something
that samba will enforce is not good enough.  SELinux is based on rules or what
the daemon is allowed to do based on the security constraints of the machine.

SELinux currently does not have a any idea of what the routing rules of the
machine are.  THere is some effort going into allowing the labeling of packets
as they flow through the kernel but this is not supported yet.

Comment 2 Dick Gingras 2007-12-13 20:26:00 UTC

That leaves an untenable situation - you must turn on samba_export_all_ro to
allow access to Samba shares from a virtual machine, which also allows access
from ANY client, even those outside the LAN.

An inexperienced user/admin will likely turn on the sebool without considering
further implications, potentially leaving a huge security hole.

Seems to me the samba_export sebool should be split into two, one for "local"
and one for "remote" share access, with appropriate documentation to give the
user a clue about the implications of each.

Comment 3 Daniel Walsh 2007-12-13 20:40:09 UTC

Well not really.  SELinux is a layer on top of other security including samba
itself.  You also have firewall rules.  So You can prevent the rest of the world
from reading any samba shares by turning off samba ports from non local networks.

There is not vulnerability here other then the equivalent of selinux being
disabled or permissive mode.  

From SELinux point of view,  A network connection comes into smbd/nmbd and they
attempt to satisfy the action.  Either selinux allows smbd/nmbd to read the
share or not.  The job of protecting the network access is the firewall/iptables.

Note You need to log in before you can comment on or make changes to this bug.