LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-26-2014, 09:01 AM   #1
tripialos
Member
 
Registered: Apr 2012
Posts: 166

Rep: Reputation: Disabled
Question samba with SElinux write issues


Greetings

I have set up a samba sever on a RedHat 6 system with selinux on enforcing mode.

I created a test folder under /sambafolder and when i tried to mount ti was getting connection permissions error. The issue was caused because the relevant folder had wrong type context so after changing the folder context to

Code:
samba_share_t
I was able to mount the partitian an browse its contents. My problem now is that i cannot write/creati files in the partition and this again is clearly a SElinux issue since when i disable selinux i can write and create files.

I do understand that if i enable the below seboolean:

Code:
samba_export_all_rw --> off
it will allow me to write but i think this is not recommended since this will allow samba to access any file/folder system which in fact negates the security of SELinux.

My question is how do you actually solve this issue? how do you now allow write access to the samba partition?

my samba config file is

Code:
[sambafolder]
	comment = test folder for samba service
	path = /sambafolder
	valid users = dude
	read list = dude
	read only = No
	hosts allow = 192.168.0.
and the permissions on the relevant folder are 777

Last edited by tripialos; 03-26-2014 at 09:22 AM.
 
Old 03-26-2014, 10:22 AM   #2
tripialos
Member
 
Registered: Apr 2012
Posts: 166

Original Poster
Rep: Reputation: Disabled
UPDATE

even with selinux in permissive mode still get the same error :-s

this is weird , the folder permission is 777, the samba config clearly configured to allow writes but i still get permission errors

any ideas?
 
Old 03-26-2014, 11:00 AM   #3
mddnix
Member
 
Registered: Mar 2013
Distribution: Redhat, Ubuntu
Posts: 525

Rep: Reputation: 141Reputation: 141
Try adding 'writeable = yes' and see what happens...
 
Old 03-26-2014, 11:24 AM   #4
tripialos
Member
 
Registered: Apr 2012
Posts: 166

Original Poster
Rep: Reputation: Disabled
I also tried with 'writeable = yes' but same results.

I read somewhere that this has to do with some sort of uid thing so if it might help the experts i executed an strace on the touch command. Heres the output:

Quote:

$strace touch dude
execve("/usr/bin/touch", ["touch", "dude"], [/* 55 vars */]) = 0
brk(0) = 0x1dfb000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd79c784000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=145390, ...}) = 0
mmap(NULL, 145390, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd79c760000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\36\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2097264, ...}) = 0
mmap(NULL, 3924576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd79c1a7000
mprotect(0x7fd79c35b000, 2097152, PROT_NONE) = 0
mmap(0x7fd79c55b000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b4000) = 0x7fd79c55b000
mmap(0x7fd79c561000, 16992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd79c561000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd79c75f000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd79c75d000
arch_prctl(ARCH_SET_FS, 0x7fd79c75d740) = 0
mprotect(0x7fd79c55b000, 16384, PROT_READ) = 0
mprotect(0x60d000, 4096, PROT_READ) = 0
mprotect(0x7fd79c785000, 4096, PROT_READ) = 0
munmap(0x7fd79c760000, 145390) = 0
brk(0) = 0x1dfb000
brk(0x1e1c000) = 0x1e1c000
brk(0) = 0x1e1c000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=106070960, ...}) = 0
mmap(NULL, 106070960, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd795c7e000
close(3) = 0
open("dude", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = -1 EACCES (Permission denied)
utimensat(AT_FDCWD, "dude", NULL, 0) = -1 EACCES (Permission denied)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2492, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd79c783000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2492
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7fd79c783000, 4096) = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
write(2, "touch: ", 7touch: ) = 7
write(2, "cannot touch \342\200\230dude\342\200\231", 23cannot touch ‘dude’) = 23
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, ": Permission denied", 19: Permission denied) = 19
write(2, "\n", 1
) = 1
close(1) = 0
close(2) = 0
exit_group(1) = ?
+++ exited with 1 +++


 
Old 03-26-2014, 12:01 PM   #5
tripialos
Member
 
Registered: Apr 2012
Posts: 166

Original Poster
Rep: Reputation: Disabled
UPDATE-2

Ok i made a progress but i my issue is not yet solved.

The reason i could not create files was because i had the below option on the smb.conf file:

Quote:
read list = dude
This gives only read permission to the relevant user no matter what other writeable options are enabled.

Now if i execute touch command i still get the permission error but the file is created. I cant edit it tho nor make any modifications inside the text file.
 
Old 03-27-2014, 09:48 AM   #6
tripialos
Member
 
Registered: Apr 2012
Posts: 166

Original Poster
Rep: Reputation: Disabled
Ok i have another update

if i mount the cifs share as a root i can read/write and create files without any issues.
If i mount the folder as a non root user i can touch a file but get permission denied but the file is created how ever i cannot edit it.

Why is this happening? i mean i mount the share as the user "dude" which is the authorized user for the specific share and the folder it self has 777 permission.

I dont get it

anyone has an idea why this is happening?
 
Old 04-01-2014, 06:59 PM   #7
tripialos
Member
 
Registered: Apr 2012
Posts: 166

Original Poster
Rep: Reputation: Disabled
I still havent figured this out and still have no clue why this is happening.

I made a new folder
chmod it to 777
shared with samba
mount it succesfully, but still get permission denied :-S
SElinux is off

Quote:
[root@rhel6 ~]# mkdir /sambatest
[root@rhel6 ~]# chmod 777 /sambatest/
[root@rhel6 ~]# ll -d /sambatest/
drwxrwxrwx. 2 smbusr smbusr 4096 Apr 1 12:25 /sambatest/
[root@rhel6 ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[smbfolder]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No

[smbfolder]
comment = test samba folder
path = /sambatest
valid users = smbusr
read only = No
hosts allow = 192.168.0.0/24, 10.88.0.0/24
I think the config file looks fine, when i mount it with from my fedora laptop and try to create a file i get permission denied :-S

Quote:
user@laptop:~/Desktop/dimi$sudo mount -t cifs //10.88.0.111/smbfolder test/ -o username=smbusr,password=smbusr
user@laptop:~/Desktop/dimi$ll -d test
drwxrwxrwx 2 501 501 0 Apr 1 19:25 test
user@laptop:~/Desktop/dimi$touch test/testfile
touch: cannot touch ‘test/testfile’: Permission denied
user@laptop:~/Desktop/dimi$ls test/
testfile
user@laptop:~/Desktop/dimi$
user@laptop:~/Desktop/dimi$touch testdude
test/ testfile
user@laptop:~/Desktop/dimi$touch test/dude
touch: cannot touch ‘test/dude’: Permission denied
user@laptop:~/Desktop/dimi$ls test/
dude testfile
user@laptop:~/Desktop/dimi$echo "abc" > test/testfile
bash: test/testfile: Permission denied
user@laptop:~/Desktop/dimi$cat test/testfile
user@laptop:~/Desktop/dimi$
I dont understand ..what am i missing ?
Any samba guru for advise?

Last edited by tripialos; 04-01-2014 at 07:05 PM.
 
  


Reply

Tags
samba permissions, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux module to allow snmpd to write to /tmp gimpy530 Linux - Security 9 02-27-2012 03:36 PM
SELinux issues with Samba samohn Linux - Newbie 1 11-25-2008 04:38 PM
security, desktop, selinux, samba issues ciscohead Fedora 1 01-07-2006 06:14 PM
FAT32 vs Reiserfs: Samba write issues Nice-n-Slow Linux - Software 6 10-10-2004 02:25 PM
Samba Share Write permission Issues Colossus610 Linux - Software 4 08-12-2004 06:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration