Interactions between SELinux and Samba

The default Fedora Core 3 targeted SELinux policy is somewhat useless when trying to publish a bunch of files for public access. It seems the targeted policy does not define anything like that and, thus, it must be extended to add such functionality.

We will place all public Samba files into “/samba”. We will run the following commands to create it:

mkdir /samba
chmod 1777 /samba
chown root:root /samba

When we try to mount a Samba share, the following audit entry is generated into the kernel log:

audit(1105232730.949:0): avc: denied { getattr } for pid=4262
exe=/usr/sbin/smbd path=/samba dev=hda2 ino=9977859
scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t tclass=dir

Which means the “smbd” process is trying to access the directory (tclass=dir) called “/samba” whose inode is 9977859 in order to retrieve its attributes (getattr). The “smbd” process is running as “root:system_r:smbd_t”, but the currently loaded policy doesn’t allow it to retrieve attributes from an object labeled as “system_u:object_r:default_t”. All the files sitting beneath “/samba” are labeled, by default, as “system_u:object_r:default_t”.

So, we intend to create a new type that we will use to label all the files beneath “/samba”, then allow the “smbd” process to work with them with no restrictions at all except, of course, those imposed by the Discretionary Access Control (DACL) mechanisms.

  1. Label all public Samba files with a dedicated SELinux type

    The “/samba” directory and all files beneath it will be labeled accordingly with an specific type: “user_samba_t”. We will create the “/etc/selinux/targeted/src/policy/file_contexts/misc/custom.fc” file with the following line:

    /samba(/.*)? system_u:object_r:user_samba_t

    which means “the /samba directory and any file beneath it, will be labeled as system_u:object_r:user_samba_t”.

  2. Define a SELinux type used to label the public Samba files

    Next, we need to create the “system_u:object_r:user_samba_t” type as a normal file. We will create “/etc/selinux/targeted/src/policy/types/custom.fc” with the following line:

    type user_samba_t, file_type, sysadmfile;

  3. Allow the Samba daemon process to access Samba public files with no restrictions

    Finally, we need to explicitly allow “smbd” to be able to read, write, lock and get attributes for any file located beneath “/samba”. Also, we need to allow “smbd” to be able to search, read, write, lock and get attributes for any directory beneath “/samba”. We will create “/etc/selinux/targeted/src/policy/domains/misc/custom.te” with the following lines:

    allow smbd_t user_samba_t:dir { search read write rename getattr
    setattr lock add_name create remove_name rmdir };
    allow smbd_t user_samba_t:file { read write rename getattr setattr
    lock create unlink };

    The previous permissions were obtained by trial-and-error due to the fine-grained granularity of SELinux permissions: I tried creating a new directory, renaming a directory, removing a directory, creating a file, renaming a file.

  4. Compile and load the resulting SELinux policy

    Once the previous changed are made, we need to run the following commands:

    cd /etc/selinux/targeted/src/policy
    make load

    Should the last command run with no errors, the new policy will be compiled and loaded into memory. The final step is checking that Samba is working, and we can access all the public files from a remote computer with no problems at all.

One thought on “Interactions between SELinux and Samba

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s