Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 236460 - SELinux Samba - files in home directories have wrong user context
Summary: SELinux Samba - files in home directories have wrong user context
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-14 15:02 UTC by Anthony Messina
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-09-10 15:14:21 UTC

Attachments (Terms of Use)

Description Anthony Messina 2007-04-14 15:02:27 UTC
Description of problem:
When files are created in a Samba home directory (or otherwise), SELinux labels
them with user: root_u instead of user_u

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Create a file/folder via Samba in a Samba share
2. ls -lZ that directory
Actual results:
The user is root_u instead of user_u

Expected results:
I would think that the user should be user_u, not root_u, even though Samba runs
as root.

Additional info:

Comment 1 Daniel Walsh 2007-04-16 15:21:52 UTC
Yes but in order to do this Samba would have to have SELinux knowledge in it. 
For now it does not.  Luckily in Targeted policy this should not be a big problem.

Comment 2 Simo Sorce 2007-08-24 13:33:32 UTC
Please don't mess with status tags :)
Reassigning to selinux maintainer

Comment 3 Daniel Walsh 2007-08-24 13:55:12 UTC
Actually ordinarily they should be created as system_u if samba was started at
bootup.  If someone logs in as root and does a system samba restart, it will
give the files root as the user.  If the user logs in as a normal user and su to
root and restarts the samba daemon, the files will get created with what ever
SELinux user the user logged in as.

So we can either leave this as is or change samba to ask SELinux what the users
default SELinux user account is and change the files to the appropriate SELinux
context.  In the long run this is probably the best course of action but it
makes Samba a SELinux aware application.  Samba could then also ask the system
if this remote user is capable of rwx files directories of this context.   For
example, Samba is allowed to rwx files in all users directories, but dwalsh
might be a guest user and simo a full user, SELinux would not allow dwalsh to
create a file in simo directory even if the directory had 777 permissions.  But
through samba it would be allowed.

So this will not be fixes in FC6 or Fedora 7, but could be looked at in the future.

Of course this work would be best done by the Samba Developers.

Comment 4 Anthony Messina 2007-08-24 15:03:15 UTC
(In reply to comment #2)
> Please don't mess with status tags :)
> Reassigning to selinux maintainer

sorry about that.  i was trying to clean up to let you know i don't have an
issue with this anymore since it doesn't affect function, as dwalsh pointed out

Note You need to log in before you can comment on or make changes to this bug.