Looking for SELinux advice regarding samba, apache

Daniel J Walsh dwalsh at redhat.com
Mon Mar 22 14:03:46 UTC 2010 

On 03/21/2010 12:21 PM, Toby Ovod-Everett wrote:
> Two issues in this e-mail.  The first is a general request for advice on how
> to structure things for a home-grown photo system I developed - I had it
> working, now the SELinux config has some issues, etc.  The second is that
> something changed in libselinux or selinux-policy since January 17th and it's
> causing Samba some issues.
>
> So, here's a brief overview of the photo archive system I developed, the
> issues, and how I have them currently resolved.
>
> My server machine runs Fedora 12 with a pretty vanilla configuration and I run
> yum update regularly.  I have two partitions - /, which contains the OS
> install, user directories, etc., and /data, which I use for some large data
> sets that I don't want to have to copy when rebuilding the machine during OS
> upgrades.  In particular, the major large data set is /data/photos.
>
> There are three major directory trees that impact the photo system:
>
> /data/photos - contains the actual digital images in /data/photos/images and
> the information about them in /data/photos/info.  Context from / is:
>
> dr-xr-xr-x. root root system_u:object_r:root_t:s0      .
> drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data
> drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos
>
> /data/photos needs to be r/w for my user account (which is a member of photos)
> and readable for apache.  I generally access /data/photos through Samba from
> my user machine which runs (gasp) Windows 7.
>
>
> /var/www/cgi-bin/photos - contains the Perl scripts that implement the web
> frontend for viewing the photos (loading photos is all done from the Command
> Line).  I have httpd_enable_cgi=>on in order to support this.  Context is
> unchanged from default configs.  Desire r/w access through Samba from my user
> machine for editing the scripts using Notepad++.
>
>
> /var/www/html/thumbnails - contains directories of thumbnails for the photos.
> These are persistently cached in this tree and automatically generated or
> updated as required by the Perl scripts above when required.  This data
> doesn't have to persist across rebuilds.  There are different subdirectories
> for the different supported thumbnail sizes and each subdir and needs to be
> r/w for apache.  Context from / is:
> dr-xr-xr-x. root root system_u:object_r:root_t:s0      .
> drwxr-xr-x. root root system_u:object_r:var_t:s0       var
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
> drwxr-xr-x. root      root system_u:object_r:httpd_sys_content_t:s0 html
> drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 thumbnails
> drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180
>
>
> One of the main issues is that I need Samba to have r/w to a bunch of the
> trees that apache needs access to.  Current Samba SELinux config is
> samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
> samba_export_all_rw=>on.  I'd like to be able to pull the latter eventually,
> but then I need to be able to figure out how to give Samba r/w access to the
> cgi-bin directory.
>
>
> Now on to the "what broke" question.  Somewhere in the last two months (it's
> been a while since I've added photos), I lost the ability to use Samba to
> access /data/photos.  Generally I access it through a symlink in my homedir:
> lrwxrwxrwx.  1 toby toby     12 2008-11-28 15:05 photos ->  /data/photos
>
> This has stopped working.  Things I tried:
> * Verifying symlinks.  I have Mail ->  mail in my homedir and that still works.
> * Verifying SELinux settings conform to above model.
> * Creating a separate share for /data/photos.  This worked.
>
> I Obviously have a workaround now, but as a solution it's annoying, because it
> requires me to create separate shares for all of the things I want to access
> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
> /var/www/html/public_html/toby) and then map to them all separately on my
> Windows machine on separate drive letters, instead of having a single share
> that accesses everything.
>
> I'm beginning to suspect the problem is Samba, not SELinux, because my
> attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
> up any events that correlate with attempts to access those directories through
> the symlinks.  At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
> 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
> announced in early February, but I'm hitting my patience limit (my 3 year old
> is ready for breakfast), so I'm going to stop writing and go with my
> workaround for now.  But if anyone has advice, please offer!
>
> --Toby Ovod-Everett
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>    
If you put smbd_t into permissive mode, does samba work?

semanage permissive -a smbd_t

More information about the selinux mailing list