On 03/21/2010 12:21 PM, Toby Ovod-Everett wrote: > Two issues in this e-mail. The first is a general request for advice on how > to structure things for a home-grown photo system I developed - I had it > working, now the SELinux config has some issues, etc. The second is that > something changed in libselinux or selinux-policy since January 17th and it's > causing Samba some issues. > > So, here's a brief overview of the photo archive system I developed, the > issues, and how I have them currently resolved. > > My server machine runs Fedora 12 with a pretty vanilla configuration and I run > yum update regularly. I have two partitions - /, which contains the OS > install, user directories, etc., and /data, which I use for some large data > sets that I don't want to have to copy when rebuilding the machine during OS > upgrades. In particular, the major large data set is /data/photos. > > There are three major directory trees that impact the photo system: > > /data/photos - contains the actual digital images in /data/photos/images and > the information about them in /data/photos/info. Context from / is: > > dr-xr-xr-x. root root system_u:object_r:root_t:s0 . > drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data > drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos > > /data/photos needs to be r/w for my user account (which is a member of photos) > and readable for apache. I generally access /data/photos through Samba from > my user machine which runs (gasp) Windows 7. > > > /var/www/cgi-bin/photos - contains the Perl scripts that implement the web > frontend for viewing the photos (loading photos is all done from the Command > Line). I have httpd_enable_cgi=>on in order to support this. Context is > unchanged from default configs. Desire r/w access through Samba from my user > machine for editing the scripts using Notepad++. > > > /var/www/html/thumbnails - contains directories of thumbnails for the photos. > These are persistently cached in this tree and automatically generated or > updated as required by the Perl scripts above when required. This data > doesn't have to persist across rebuilds. There are different subdirectories > for the different supported thumbnail sizes and each subdir and needs to be > r/w for apache. Context from / is: > dr-xr-xr-x. root root system_u:object_r:root_t:s0 . > drwxr-xr-x. root root system_u:object_r:var_t:s0 var > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html > drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 thumbnails > drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180 > > > One of the main issues is that I need Samba to have r/w to a bunch of the > trees that apache needs access to. Current Samba SELinux config is > samba_enable_home_dirs=>on, allow_smbd_anon_write=>on, > samba_export_all_rw=>on. I'd like to be able to pull the latter eventually, > but then I need to be able to figure out how to give Samba r/w access to the > cgi-bin directory. > > > Now on to the "what broke" question. Somewhere in the last two months (it's > been a while since I've added photos), I lost the ability to use Samba to > access /data/photos. Generally I access it through a symlink in my homedir: > lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos > > This has stopped working. Things I tried: > * Verifying symlinks. I have Mail -> mail in my homedir and that still works. > * Verifying SELinux settings conform to above model. > * Creating a separate share for /data/photos. This worked. > > I Obviously have a workaround now, but as a solution it's annoying, because it > requires me to create separate shares for all of the things I want to access > from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and > /var/www/html/public_html/toby) and then map to them all separately on my > Windows machine on separate drive letters, instead of having a single share > that accesses everything. > > I'm beginning to suspect the problem is Samba, not SELinux, because my > attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn > up any events that correlate with attempts to access those directories through > the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 or > 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was > announced in early February, but I'm hitting my patience limit (my 3 year old > is ready for breakfast), so I'm going to stop writing and go with my > workaround for now. But if anyone has advice, please offer! > > --Toby Ovod-Everett > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > If you put smbd_t into permissive mode, does samba work? semanage permissive -a smbd_t -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
