Looking for SELinux advice regarding samba, apache

Toby Ovod-Everett toby at ovod-everett.org
Sun Mar 21 16:21:02 UTC 2010 

Two issues in this e-mail.  The first is a general request for advice on how
to structure things for a home-grown photo system I developed - I had it
working, now the SELinux config has some issues, etc.  The second is that
something changed in libselinux or selinux-policy since January 17th and it's
causing Samba some issues.

So, here's a brief overview of the photo archive system I developed, the
issues, and how I have them currently resolved.

My server machine runs Fedora 12 with a pretty vanilla configuration and I run
yum update regularly.  I have two partitions - /, which contains the OS
install, user directories, etc., and /data, which I use for some large data
sets that I don't want to have to copy when rebuilding the machine during OS
upgrades.  In particular, the major large data set is /data/photos.

There are three major directory trees that impact the photo system:

/data/photos - contains the actual digital images in /data/photos/images and
the information about them in /data/photos/info.  Context from / is:

dr-xr-xr-x. root root system_u:object_r:root_t:s0      .
drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data
drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos

/data/photos needs to be r/w for my user account (which is a member of photos)
and readable for apache.  I generally access /data/photos through Samba from
my user machine which runs (gasp) Windows 7.


/var/www/cgi-bin/photos - contains the Perl scripts that implement the web
frontend for viewing the photos (loading photos is all done from the Command
Line).  I have httpd_enable_cgi=>on in order to support this.  Context is
unchanged from default configs.  Desire r/w access through Samba from my user
machine for editing the scripts using Notepad++.


/var/www/html/thumbnails - contains directories of thumbnails for the photos.
These are persistently cached in this tree and automatically generated or
updated as required by the Perl scripts above when required.  This data
doesn't have to persist across rebuilds.  There are different subdirectories
for the different supported thumbnail sizes and each subdir and needs to be
r/w for apache.  Context from / is:
dr-xr-xr-x. root root system_u:object_r:root_t:s0      .
drwxr-xr-x. root root system_u:object_r:var_t:s0       var
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
drwxr-xr-x. root      root system_u:object_r:httpd_sys_content_t:s0 html
drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 thumbnails
drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180


One of the main issues is that I need Samba to have r/w to a bunch of the
trees that apache needs access to.  Current Samba SELinux config is
samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
samba_export_all_rw=>on.  I'd like to be able to pull the latter eventually,
but then I need to be able to figure out how to give Samba r/w access to the
cgi-bin directory.


Now on to the "what broke" question.  Somewhere in the last two months (it's
been a while since I've added photos), I lost the ability to use Samba to
access /data/photos.  Generally I access it through a symlink in my homedir:
lrwxrwxrwx.  1 toby toby     12 2008-11-28 15:05 photos -> /data/photos

This has stopped working.  Things I tried:
* Verifying symlinks.  I have Mail -> mail in my homedir and that still works.
* Verifying SELinux settings conform to above model.
* Creating a separate share for /data/photos.  This worked.

I Obviously have a workaround now, but as a solution it's annoying, because it
requires me to create separate shares for all of the things I want to access
from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
/var/www/html/public_html/toby) and then map to them all separately on my
Windows machine on separate drive letters, instead of having a single share
that accesses everything.

I'm beginning to suspect the problem is Samba, not SELinux, because my
attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
up any events that correlate with attempts to access those directories through
the symlinks.  At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
announced in early February, but I'm hitting my patience limit (my 3 year old
is ready for breakfast), so I'm going to stop writing and go with my
workaround for now.  But if anyone has advice, please offer!

--Toby Ovod-Everett

More information about the selinux mailing list