[Samba] Still cannot manage folders through Samba4 with SELinux samba_export_all_rw enabled
Dennis Verspuij - SpuyMore
dennis at spuymore.nl
Thu Nov 22 04:52:13 MST 2012
Hello,
I have Samba 4 installed with some correctly configured shares so I can
access them from my Windows box. It is a proven setup from an older
Fedora+Samba setup, though on that other machine I have SELinux
disabled. So I set samba_export_all_rw=1 to be able to access the shares
whose files and directories are labelled public_content_rw_t by issuing:
semanage fcontext -a -t public_content_rw_t '/myrootfolder(/.*)?'
restorecon -R -v /myrootfolder
After that I can indeed create, write and update files anywhere in the
share and its subfolders, I can also delete folders, but I cannot create
or rename folders though!
sesearch --allow -C | grep samba_export_all_rw:
DT allow smbd_t noxattrfs : file { ioctl read getattr lock open } ; [
samba_export_all_rw ]
DT allow smbd_t noxattrfs : dir { getattr search open } ; [
samba_export_all_rw ]
DT allow smbd_t non_security_file_type : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; [
samba_export_all_rw ]
DT allow smbd_t non_security_file_type : dir { ioctl read write getattr
lock add_name remove_name search open } ; [ samba_export_all_rw ]
DT allow smbd_t non_security_file_type : lnk_file { ioctl read write
create getattr setattr lock append unlink link rename } ; [
samba_export_all_rw ]
DT allow nmbd_t noxattrfs : file { ioctl read getattr lock open } ; [
samba_export_all_rw ]
DT allow nmbd_t noxattrfs : dir { getattr search open } ; [
samba_export_all_rw ]
DT allow nmbd_t non_security_file_type : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; [
samba_export_all_rw ]
DT allow nmbd_t non_security_file_type : dir { ioctl read write getattr
lock add_name remove_name search open } ; [ samba_export_all_rw ]
DT allow nmbd_t non_security_file_type : lnk_file { ioctl read write
create getattr setattr lock append unlink link rename } ; [
samba_export_all_rw ]
This means samba_export_all_rw does not allow smbd_t as well as nmbd_t
to actually "create" non_security_file_type directories, I think a
mistake in the policy.
Kind regards,
Dennis Verspuij
More information about the samba
mailing list