Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 785949

Summary: SELinux prevents smbd (smbd_t) from setattr access on the home directory (user_home_dir_t)
Product: Red Hat Enterprise Linux 6 Reporter: Phil Anderson <pza>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-01 08:09:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Phil Anderson 2012-01-31 01:01:56 UTC 
Description of problem:
Even with samba_enable_home_dirs enabled, Samba is unable to set attributes on files:

type=AVC msg=audit(1327966909.464:33529): avc:  denied  { setattr } for  pid=13430 comm="smbd" name="bursar" dev=dm-3 ino=3932161 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir


I haven't been able to confirm as I don't have a test environment, but I suspect this may only occur when extended attributes is enabled in smb.conf:
ea support = yes

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-126.el6_2.4.noarch

setroubleshootd suggests enabling samba_export_all_rw, but this is too much.  setattr should be included in samba_enable_home_dirs.
Comment 2 Milos Malik 2012-01-31 09:26:13 UTC 
# sesearch -s smbd_t -t user_home_dir_t -c dir -p setattr --allow -C
Found 1 semantic av rules:
DT allow smbd_t user_home_dir_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ samba_export_all_rw ]

# 

The access is allowed if samba_export_all_rw boolean is enabled. You can use it as workaround if you understand that the boolean allows other accesses too.

# semanage boolean -l | grep samba_export_all_rw
samba_export_all_rw            -> off   Allow samba to share any file/directory read/write.
#
Comment 3 Miroslav Grepl 2012-01-31 11:51:16 UTC 
What is "bursar"? 

Is it your user? Or is it a subdirectory in

/home/<username>/
Comment 4 Phil Anderson 2012-01-31 23:00:11 UTC 
It is a directory.
Comment 5 Miroslav Grepl 2012-02-01 08:09:01 UTC 
In this case you will need to run the restorecon command too.

# restorecon -R -v /home/<username>
# setsebool -P samba_enable_home_dirs 1