Red Hat Bugzilla – Bug 468315
Wrong suggestion when export is labeled default_t type
Last modified: 2015-01-04 17:35:42 EST
Created attachment 321366 [details]
mount tests from Rawhide and F9, and denials.
I did not know the correct component to assign this to, sorry.
Description of problem:
* "samba_export_all_ro --> on"
* export directory and local mount point use the "default_t" type (before mounting the export)
* mount reports the file system mounted: "//localhost/test on /test type cifs (rw,mand)"
Accessing the share (ls) causes an "ls: reading directory .: Permission denied" error, and the following is logged to "/var/log/messages":
localhost setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote clients. For complete SELinux messages. run sealert -l 87bb086e-3b17-46f3-ad8f-6ee7365378f4
This suggests using "setsebool -P samba_export_all_ro=1" to resolve the issue (which is already on).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. See attached.
Told to use "setsebool -P samba_export_all_ro=1"
Told to relabel with samba_share_t (same as F9)
Plugin Name samba_export_all_ro
Plugin Name samba_share
Maybe this is the problem?
All other Samba booleans (getsebool -a | grep samba) except for "samba_run_unconfined" are off.
See attached for tests.
This is actually two bugs.
setsebool -P samba_export_all_ro=1
Should have worked.
Fixed in selinux-policy-3.5.13-15
Plugin should have suggested the relabel
Fixed in setroubleshoot-plugins-2.0.11-1.
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.
More information and reason for this action is here:
When export is labeled with the default_t type, and samba_export_all_ro is on, no denials occur when mounting and viewing files.
When smb.conf is configured to allow write access, export labeled default_t, and samba_export_all_ro Boolean is on, attempting to write causes a denial and suggests labeling the export with samba_share_t type.
$ rpm -q selinux-policy setroubleshoot-plugins