[Samba] Still cannot manage folders through Samba4 with SELinux samba_export_all_rw enabled

Dennis Verspuij - SpuyMore dennis at spuymore.nl
Thu Nov 22 04:52:13 MST 2012 

Hello,

I have Samba 4 installed with some correctly configured shares so I can 
access them from my Windows box. It is a proven setup from an older 
Fedora+Samba setup, though on that other machine I have SELinux 
disabled. So I set samba_export_all_rw=1 to be able to access the shares 
whose files and directories are labelled public_content_rw_t by issuing:

semanage fcontext -a -t public_content_rw_t '/myrootfolder(/.*)?'
restorecon -R -v /myrootfolder

After that I can indeed create, write and update files anywhere in the 
share and its subfolders, I can also delete folders, but I cannot create 
or rename folders though!

sesearch --allow -C | grep samba_export_all_rw:
DT allow smbd_t noxattrfs : file { ioctl read getattr lock open } ; [ 
samba_export_all_rw ]
DT allow smbd_t noxattrfs : dir { getattr search open } ; [ 
samba_export_all_rw ]
DT allow smbd_t non_security_file_type : file { ioctl read write create 
getattr setattr lock append unlink link rename open } ; [ 
samba_export_all_rw ]
DT allow smbd_t non_security_file_type : dir { ioctl read write getattr 
lock add_name remove_name search open } ; [ samba_export_all_rw ]
DT allow smbd_t non_security_file_type : lnk_file { ioctl read write 
create getattr setattr lock append unlink link rename } ; [ 
samba_export_all_rw ]
DT allow nmbd_t noxattrfs : file { ioctl read getattr lock open } ; [ 
samba_export_all_rw ]
DT allow nmbd_t noxattrfs : dir { getattr search open } ; [ 
samba_export_all_rw ]
DT allow nmbd_t non_security_file_type : file { ioctl read write create 
getattr setattr lock append unlink link rename open } ; [ 
samba_export_all_rw ]
DT allow nmbd_t non_security_file_type : dir { ioctl read write getattr 
lock add_name remove_name search open } ; [ samba_export_all_rw ]
DT allow nmbd_t non_security_file_type : lnk_file { ioctl read write 
create getattr setattr lock append unlink link rename } ; [ 
samba_export_all_rw ]

This means samba_export_all_rw does not allow smbd_t as well as nmbd_t 
to actually "create" non_security_file_type directories, I think a 
mistake in the policy.

Kind regards,

Dennis Verspuij

More information about the samba mailing list