Bug 468315 - Wrong suggestion when export is labeled default_t type
Wrong suggestion when export is labeled default_t type
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
10
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-23 22:04 EDT by Murray McAllister
Modified: 2015-01-04 17:35 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-06 03:15:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
mount tests from Rawhide and F9, and denials. (5.88 KB, text/plain)
2008-10-23 22:04 EDT, Murray McAllister
no flags Details

  None (edit)
Description Murray McAllister 2008-10-23 22:04:33 EDT
Created attachment 321366 [details]
mount tests from Rawhide and F9, and denials.

I did not know the correct component to assign this to, sorry.

Description of problem:
I have:

* "samba_export_all_ro --> on"
* export directory and local mount point use the "default_t" type (before mounting the export)
* mount reports the file system mounted: "//localhost/test on /test type cifs (rw,mand)"

Accessing the share (ls) causes an "ls: reading directory .: Permission denied" error, and the following is logged to "/var/log/messages":

localhost setroubleshoot: SELinux is preventing the samba daemon from serving r/o local files to remote clients. For complete SELinux messages. run sealert -l 87bb086e-3b17-46f3-ad8f-6ee7365378f4

This suggests using "setsebool -P samba_export_all_ro=1" to resolve the issue (which is already on).

Version-Release number of selected component (if applicable):

setroubleshoot-plugins-2.0.9-1.fc10.noarch
setroubleshoot-server-2.0.12-1.fc10.noarch
policycoreutils-2.0.57-4.fc10.i386
selinux-policy-3.5.13-4.fc10.noarch
libselinux-utils-2.0.73-1.fc10.i386
libselinux-python-2.0.73-1.fc10.i386
selinux-policy-targeted-3.5.13-4.fc10.noarch
libselinux-2.0.73-1.fc10.i386

kernel-2.6.27.3-39.fc10.i686

samba-winbind-3.2.4-0.22.fc10.i386
samba-client-3.2.4-0.22.fc10.i386
samba-3.2.4-0.22.fc10.i386
samba-common-3.2.4-0.22.fc10.i386

rpcbind-0.1.6-2.fc10.i386

How reproducible:
Always.

Steps to Reproduce:
1. See attached.
  
Actual results:
Told to use "setsebool -P samba_export_all_ro=1"

Expected results:
Told to relabel with samba_share_t (same as F9)

Additional info:
Rawhide denial:
Plugin Name                   samba_export_all_ro

F9 denial:
Plugin Name                   samba_share

Maybe this is the problem?

All other Samba booleans (getsebool -a | grep samba) except for "samba_run_unconfined" are off.

See attached for tests.
Comment 1 Daniel Walsh 2008-11-05 13:17:49 EST
This is actually two bugs.

setsebool -P samba_export_all_ro=1

Should have worked.

Fixed in selinux-policy-3.5.13-15

Plugin should have suggested the relabel

Fixed in setroubleshoot-plugins-2.0.11-1.
Comment 2 Bug Zapper 2008-11-25 23:10:56 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Murray McAllister 2009-02-16 01:06:14 EST
When export is labeled with the default_t type, and samba_export_all_ro is on, no denials occur when mounting and viewing files.

When smb.conf is configured to allow write access, export labeled default_t, and samba_export_all_ro Boolean is on, attempting to write causes a denial and suggests labeling the export with samba_share_t type.


$ rpm -q selinux-policy setroubleshoot-plugins
selinux-policy-3.5.13-44.fc10.noarch
setroubleshoot-plugins-2.0.12-1.fc10.noarch

Note You need to log in before you can comment on or make changes to this bug.