Bug 823728 - selinux block setxattr in CIFS filesystems
selinux block setxattr in CIFS filesystems
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2012-05-21 22:16 EDT by Jian Li
Modified: 2014-03-03 19:08 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-05-23 00:15:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jian Li 2012-05-21 22:16:42 EDT
Description of problem:
In CIFS filesystems, when selinux is enforcing, setxattr returns 'permission denied', when selinux is closed, setxattr works well.

Version-Release number of selected component (if applicable):

How reproducible:
Set up samba, and mount from client, create a file, and set xattr on it.
In order to create new file, change shared directory's security attribute:
chcon -t samba_share_t /share/directory
Comment 2 Dan Horák 2012-05-22 05:31:20 EDT
sdparm is definitely not the right component, kernel seems more appropriate to me.

Jian Li, please post here the exact commands you run and their outputs, maybe even including lines from /var/log/messages.
Comment 3 Jeff Layton 2012-05-22 06:24:16 EDT
I doubt this is a kernel problem either...probably selinux-policy issue, but it's difficult to know for sure. The description doesn't make it clear whether you're disabling selinux on the client or server here to get it working.
Comment 4 Jian Li 2012-05-22 22:03:31 EDT
sorry, I couldn't manually reproduce it...

I have resubmit a job again, and waiting for result.

beaker job link:  (RHEL6.3-20120509.1)

the test(/kernel/filesystems/cifs/xattr) is a standalone test, and setfattr after mounting some local shared directory.
Comment 5 Jian Li 2012-05-22 22:34:14 EDT
fail jobs:


checking case, and resubmit job to test with selinux closed.
Comment 6 Jian Li 2012-05-23 00:13:40 EDT
job with selinux closed PASS:

Try to manual test and resubmit one on the latest distro.
Comment 7 Jian Li 2012-05-23 00:15:54 EDT
job pass

It's case that miss to configure some test file's selinux attribute 'samba_share_t'. 

So it's NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.