Bug 558622 - samba_enable_home_dirs if 0 (man page explains) but maybe reporting 'access denied' into the logs would be good
Summary: samba_enable_home_dirs if 0 (man page explains) but maybe reporting 'access d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-25 20:15 UTC by lejeczek
Modified: 2010-02-11 14:40 UTC (History)
2 users (show)

Fixed In Version: 3.6.32-84.fc12
Clone Of:
: 991254 (view as bug list)
Environment:
Last Closed: 2010-02-11 14:40:33 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description lejeczek 2010-01-25 20:15:14 UTC
Description of problem:
..idea, when actual boolean is 0 and one has folders samba-shared from within home dir then failure is silent. Sure we all should read man pages but reports into the syslog would put many minds at ease. that would nicely appear in syslog just next to samba error, and everything is clear :)
thanks

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2010-01-25 20:29:05 UTC
Not sure what you are getting at.  Please show me what you would have wanted the /var/log/messages entry to look like?

Comment 2 lejeczek 2010-01-30 21:57:14 UTC
selinux silently denies samba access to public_content_rw_t(maybe samba_share_t too) labelled shares in a user's home dir if samba_enable_home_dirs is 0
man page explains it but if this denial when happens could as well go into logs, for those who have missed samba_selinux, troubleshooting it would be quicker, I think

Comment 3 Daniel Walsh 2010-02-01 18:32:26 UTC
I agree, 

Miroslav change

userdom_dontaudit_search_user_home_dirs(smbd_t)

to

userdom_search_user_home_content(smbd_t)

This will allow samba to search through the user homedir but not list them. 

I don't think this is much less secure.

Comment 4 Miroslav Grepl 2010-02-01 19:43:39 UTC
Changed in selinux-policy-3.6.32-80.fc12

Comment 5 Fedora Update System 2010-02-03 23:18:31 UTC
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12

Comment 6 Fedora Update System 2010-02-05 01:42:58 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492

Comment 7 Fedora Update System 2010-02-11 14:35:39 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.