permissions on samba share

Fri Jul 20 14:38:31 MDT 2012

On 07/20/2012 12:52 PM, simo wrote:
> On Fri, 2012-07-20 at 12:38 -0700, Todd Brunhoff wrote:
>> On 07/20/2012 12:20 PM, simo wrote:
>>> On Fri, 2012-07-20 at 11:31 -0700, Todd Brunhoff wrote:
>>>> To answer my own question... it was selinux. Turn it off and everything
>>>> works.
>>>>
>>>> On 07/19/2012 01:58 PM, Todd Brunhoff wrote:
>>>>
>>>>> After reinstalling fedora 16 from scratch, I cannot get samba to work
>>>>> correctly. I can log in successfully with smbclient and I can map a
>>>>> network drive, but then I cannot get access to my login directory.
>>> Have you read the sample confg file where there is a whole section that
>>> gives you commands to run and booleans to turn in an howto fashion ?
>>>
>>> Don;t simple turn things off, SeLinux is there to help you.
>>>
>>> Simo.
>> I did read the sample smb.conf, and several others, and I didn't see
>> anything relevant. Nor did I find anything in the smb.conf man page. Nor
>> did I find anything in the source rpm that appeared to have an effect.
> This is the default smb.conf in fedora 16:
> http://pkgs.fedoraproject.org/gitweb/?p=samba.git;a=blob;f=smb.conf.default;h=fe0d921e37c2c1c11c7b24fdad59fd46d149b9bb;hb=aa2fcfacca1a5a0c80edaee5363c981b1e30c14f
>
> Start stalking about SeLinux at line 20 ... not sure how I can make it
> more evident.
>
>> And after turning on debug level 10 and running strace on smbd, I found
>> that it was an openat() call that failed with permission denied. Based
>> on failure with selinux enabled and success without, it appears that
>> selinux will deny access when real uid/gid does not match effective
>> uid/gid. I would guess that I could turn off a certain policy in
>> selinux, but given that I am behind a firewall, I see no point in
>> wrestling with that.
> No, SeLinux doesn't care about uids or gids, SELinux is a Mandatory
> Access Control system and bases it's decisions on labels.
>
> A very simple explanation is the following:
> - Each process is assigned a label, daemons in particular have specific
> labels that disnguish them from any other kind.
> - Each label is associated with a set of policies that determine which
> objects the process can access.
> - Each object (generally files on the file system) have associated a
> label which is used by the policy to decide if a process can have access
> to them.
>
> Now by default samba has a pretty strict security policy, that's to
> avoid mistakenly exposing information given samba is a network file
> server.
> However it is very simple to open-up permissions.
> For things like home directories on which yuo *do not want* to change
> the labels there is a seboolean that will tel the policy to let samba
> access files in home directories.
>
> For random directories instead you can change the labels on files (you
> need to do it once, all new files in the directory properly labeled
> inherit the right labels).
>
>> I do find it interesting that you imply certain booleans in smb.conf
>> might be the answer, but you did not suggest any that might be applicable.
> Read the file I linked above, it explains it all.
>
>> If my theory about selinux and real/effective uid/gid mismatch is right,
>> then perhaps the samba implementation should be calling setreuid() and
>> setregid().
> Your theory is absolutely wrong :)
>
> Simo.
>
An excellent description! It appears that I had discarded/misplaced the 
original FC16 smb.conf which, as you point out, is pretty clear about 
how to change the selinux settings to allow things to work. Thanks.  
This will go in my notes.

Todd