Re: SELinux user label problem with Samba share files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/05/2016 11:37 PM, Jeff Boyce wrote:
Greetings -

A coworker ran into a (permission denied) problem recently trying to
save a file on our Samba server.  So I first checked into the normal
user and group permissions for the user and the file, and everything
seemed fine there.  So then I moved on to investigating whether it was
an SELinux issue, and subsequently I think I found more problems on our
Samba server than I wanted to see.

A short description of the issue that I see is that while the files on
my Samba share are labeled with the samba_share_t type, there is a
mixture of two different SELinux user labels.  Some directories/files
are labeled with system_u and others are labeled with unconfined_u.  The
particular file that the coworker was trying to save (and received a
permission denied result) had a system_u label.  An example of the
mixture is shown below.

[root@sequoia CorporateDocs]# ls -lZ
drwxrws--T. eileenm mei_office system_u:object_r:samba_share_t:s0
Amendments
drwxrws--T. jeffb   meiboard unconfined_u:object_r:samba_share_t:s0
Budget Materials
-rwxrw----. eileenm mei_office system_u:object_r:samba_share_t:s0
Ltr_Engagement_Mclanahan.pdf
drwxrws--T. jeffb   meiboard unconfined_u:object_r:samba_share_t:s0 MEI
Stock
-rwxrw----. eileenm mei_office system_u:object_r:samba_share_t:s0
Original By-laws.pdf

Our setup in this small office includes a Samba file server that is
accessed by all staff through their Windows desktop/laptop systems. We
have a half a dozen main directories under our primary share with only
one of them restricted to a subset of the staff as diagrammed below. The
restricted subset is defined by standard user and group restrictions.

Ecosystem Share
    Projects  -  all staff
    Proposals  -  all staff
    Reference  -  all staff
    CorporateAdmin  -  restricted subset of staff

I suspect that the mixture of selinux user labels was a result of our
migration to this CentOS 6 server (a KVM guest if that matters) a couple
years ago from a pre-selinux RHEL 3 server.  I thought I had all my
Samba selinux settings setup correctly when doing the migration, but I
guess not.  I am actually surprised that we haven't run into the issue
earlier.

My goal now is to get all the selinux user labels uniformly correct and
solve the permission denied error that my coworker encountered. I am
hoping the first solves the second, and doesn't conflict with it.
Although I am not sure which label is correct for my situation, system_u
or unconfined_u.  And if it is system_u, then why the permission denied
issue on that particular file.  They don't have the same issue with
other files in other directories that have a system_u label.

I have read through the RHEL SE Linux User guide an am not sure where to
go from here.  So I am looking for some guidance from the experts here.
I looked into the
/etc/selinux/targeted/contexts/files/file_contexts.local file and see
the following information.  Maybe this is messed up also; or a
contributing factor to my issue.

# This file is auto-generated by libsemanage
# Do not edit directly.
/ecosystem(/.*)?    system_u:object_r:samba_share_t:s0
/home/jeffb/messages    system_u:object_r:user_home_t:s0
./CorporateDocs    system_u:object_r:samba_share_t:s0

Any guidance appreciated.  You may cc me directly as I only get the
daily digest of this list.  Thanks.

Jeff


Hi,

If you turn system into permissive mode, is it working?

Could you reproduce it and attach audit logs?
1. Reproduce the problem
2. # ausearch -m AVC

Thank you,
Lukas.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux