[Samba] Public shares in FC4 (update)

Don Meyer dlmeyer at uiuc.edu
Sun Feb 26 07:30:38 GMT 2006


audit2allow gave you the code to allow "search" capability on 
directories labeled "default_t".  You are instead giving samba full 
access to the parent directory of your share(s) by re-labeling it.

It's your call whether granting smbd the limited "search" capability 
to all directories labeled "default_t" is more or less secure than 
granting smbd full access to a single parent directory.


At 01:06 AM 2/26/2006, Louis E Garcia II wrote:
>Yes I just realized that. I solved it another way.
>
>When I had this samba couldn't see public. I got avc error saying smbd_t
>needed access to default_t
>drwxr-xr-x  root   root  system_u:object_r:default_t  /data
>drwxrwsrwx  root   root  system_u:object_r:samba_share_t  /data/public
>
>When I had this samba could see public and it worked.
>drwxr-xr-x  root   root  system_u:object_r:samba_share_t  /data
>drwxrwsrwx  root   root  system_u:object_r:samba_share_t  /data/public
>
>I think this is a better solution then to have samba have access to any
>new dir with default_t. What do you think?
>
>-Louis
>
>On Sat, 2006-02-25 at 23:43 -0600, Don Meyer wrote:
> > Look at your AVC error (below) -- to paraphrase, avc denied search
> > for smbd for the name "/".  That is running into a problem accessing
> > (traversing) the root directory.   Hence the need to allow "search"
> > on default_t.
> >

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 



More information about the samba mailing list