LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   samba with SElinux write issues (https://www.linuxquestions.org/questions/linux-newbie-8/samba-with-selinux-write-issues-4175499527/)

tripialos 03-26-2014 08:01 AM
samba with SElinux write issues
 
Greetings

I have set up a samba sever on a RedHat 6 system with selinux on enforcing mode.

I created a test folder under /sambafolder and when i tried to mount ti was getting connection permissions error. The issue was caused because the relevant folder had wrong type context so after changing the folder context to

Code:
samba_share_t
I was able to mount the partitian an browse its contents. My problem now is that i cannot write/creati files in the partition and this again is clearly a SElinux issue since when i disable selinux i can write and create files.

I do understand that if i enable the below seboolean:

Code:
samba_export_all_rw --> off
it will allow me to write but i think this is not recommended since this will allow samba to access any file/folder system which in fact negates the security of SELinux.

My question is how do you actually solve this issue? how do you now allow write access to the samba partition?

my samba config file is

Code:
[sambafolder]
        comment = test folder for samba service
        path = /sambafolder
        valid users = dude
        read list = dude
        read only = No
        hosts allow = 192.168.0.
and the permissions on the relevant folder are 777

tripialos 03-26-2014 09:22 AM
UPDATE

even with selinux in permissive mode still get the same error :-s

this is weird , the folder permission is 777, the samba config clearly configured to allow writes but i still get permission errors

any ideas?

Madhu Desai 03-26-2014 10:00 AM
Try adding 'writeable = yes' and see what happens...

tripialos 03-26-2014 10:24 AM
I also tried with 'writeable = yes' but same results.

I read somewhere that this has to do with some sort of uid thing so if it might help the experts i executed an strace on the touch command. Heres the output:

Quote:

$strace touch dude
execve("/usr/bin/touch", ["touch", "dude"], [/* 55 vars */]) = 0
brk(0) = 0x1dfb000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd79c784000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=145390, ...}) = 0
mmap(NULL, 145390, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd79c760000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\36\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2097264, ...}) = 0
mmap(NULL, 3924576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd79c1a7000
mprotect(0x7fd79c35b000, 2097152, PROT_NONE) = 0
mmap(0x7fd79c55b000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b4000) = 0x7fd79c55b000
mmap(0x7fd79c561000, 16992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd79c561000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd79c75f000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd79c75d000
arch_prctl(ARCH_SET_FS, 0x7fd79c75d740) = 0
mprotect(0x7fd79c55b000, 16384, PROT_READ) = 0
mprotect(0x60d000, 4096, PROT_READ) = 0
mprotect(0x7fd79c785000, 4096, PROT_READ) = 0
munmap(0x7fd79c760000, 145390) = 0
brk(0) = 0x1dfb000
brk(0x1e1c000) = 0x1e1c000
brk(0) = 0x1e1c000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=106070960, ...}) = 0
mmap(NULL, 106070960, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd795c7e000
close(3) = 0
open("dude", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = -1 EACCES (Permission denied)
utimensat(AT_FDCWD, "dude", NULL, 0) = -1 EACCES (Permission denied)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2492, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd79c783000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2492
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7fd79c783000, 4096) = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
write(2, "touch: ", 7touch: ) = 7
write(2, "cannot touch \342\200\230dude\342\200\231", 23cannot touch ‘dude’) = 23
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, ": Permission denied", 19: Permission denied) = 19
write(2, "\n", 1
) = 1
close(1) = 0
close(2) = 0
exit_group(1) = ?
+++ exited with 1 +++

tripialos 03-26-2014 11:01 AM
UPDATE-2

Ok i made a progress but i my issue is not yet solved.

The reason i could not create files was because i had the below option on the smb.conf file:

Quote:
read list = dude
This gives only read permission to the relevant user no matter what other writeable options are enabled.

Now if i execute touch command i still get the permission error but the file is created. I cant edit it tho nor make any modifications inside the text file.

tripialos 03-27-2014 08:48 AM
Ok i have another update

if i mount the cifs share as a root i can read/write and create files without any issues.
If i mount the folder as a non root user i can touch a file but get permission denied but the file is created how ever i cannot edit it.

Why is this happening? i mean i mount the share as the user "dude" which is the authorized user for the specific share and the folder it self has 777 permission.

I dont get it

anyone has an idea why this is happening?

tripialos 04-01-2014 05:59 PM
I still havent figured this out and still have no clue why this is happening.

I made a new folder
chmod it to 777
shared with samba
mount it succesfully, but still get permission denied :-S
SElinux is off

Quote:
[root@rhel6 ~]# mkdir /sambatest
[root@rhel6 ~]# chmod 777 /sambatest/
[root@rhel6 ~]# ll -d /sambatest/
drwxrwxrwx. 2 smbusr smbusr 4096 Apr 1 12:25 /sambatest/
[root@rhel6 ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[smbfolder]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No

[smbfolder]
comment = test samba folder
path = /sambatest
valid users = smbusr
read only = No
hosts allow = 192.168.0.0/24, 10.88.0.0/24
I think the config file looks fine, when i mount it with from my fedora laptop and try to create a file i get permission denied :-S

Quote:
user@laptop:~/Desktop/dimi$sudo mount -t cifs //10.88.0.111/smbfolder test/ -o username=smbusr,password=smbusr
user@laptop:~/Desktop/dimi$ll -d test
drwxrwxrwx 2 501 501 0 Apr 1 19:25 test
user@laptop:~/Desktop/dimi$touch test/testfile
touch: cannot touch ‘test/testfile’: Permission denied
user@laptop:~/Desktop/dimi$ls test/
testfile
user@laptop:~/Desktop/dimi$
user@laptop:~/Desktop/dimi$touch testdude
test/ testfile
user@laptop:~/Desktop/dimi$touch test/dude
touch: cannot touch ‘test/dude’: Permission denied
user@laptop:~/Desktop/dimi$ls test/
dude testfile
user@laptop:~/Desktop/dimi$echo "abc" > test/testfile
bash: test/testfile: Permission denied
user@laptop:~/Desktop/dimi$cat test/testfile
user@laptop:~/Desktop/dimi$
I dont understand ..what am i missing ?
Any samba guru for advise?


All times are GMT -5. The time now is 11:51 AM.