Description of problem: Selinux does not allow samba to change file owner of a shared file . Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-137.1.el5_2.noarch How reproducible: always Steps to Reproduce: 1.setup samba server, share some files (selinux context root:object_r:samba_share_t) 2.add root to samba user db 3.try to change file ownership of some file: smbcacls //localhost/share some-file -Uroot%root-samba-password -C the-new-owner Actual results: smbcacls fails with these error messages: NT_TRANSACT_SET_SECURITY_DESC failed ERROR: secdesc set failed: NT_STATUS_ACCESS_DENIED selinux logs type=AVC msg=audit(1216995236.905:47291): avc: denied { chown } for pid=9278 comm="smbd" capability=0 scontext=root:system_r:smbd_t:s0 tcontext=root:system_r:smbd_t:s0 tclass=capability type=SYSCALL msg=audit(1216995236.905:47291): arch=14 syscall=181 success=no exit=-1 a0=8511300 a1=343d a2=ffffffff a3=ffffffff items=0 ppid=8823 pid=9278 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7736 comm="smbd" exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null) owner of some-file stays the same Expected results: - changed owner of some-file - no NT_* errors from smbcacls - no denial from selinux
Fixed in selinux-policy-2.4.6-143.el5
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html