The default Fedora Core 3 targeted SELinux policy is somewhat useless when trying to publish a bunch of files for public access. It seems the targeted policy does not define anything like that and, thus, it must be extended to add such functionality.

We will place all public Samba files into “/samba”. We will run the following commands to create it:

mkdir /samba
chmod 1777 /samba
chown root:root /samba

When we try to mount a Samba share, the following audit entry is generated into the kernel log:

audit(1105232730.949:0): avc: denied { getattr } for pid=4262
exe=/usr/sbin/smbd path=/samba dev=hda2 ino=9977859
scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t tclass=dir

Which means the “smbd” process is trying to access the directory (tclass=dir) called “/samba” whose inode is 9977859 in order to retrieve its attributes (getattr). The “smbd” process is running as “root:system_r:smbd_t”, but the currently loaded policy doesn’t allow it to retrieve attributes from an object labeled as “system_u:object_r:default_t”. All the files sitting beneath “/samba” are labeled, by default, as “system_u:object_r:default_t”.

So, we intend to create a new type that we will use to label all the files beneath “/samba”, then allow the “smbd” process to work with them with no restrictions at all except, of course, those imposed by the Discretionary Access Control (DACL) mechanisms.

1. Label all public Samba files with a dedicated SELinux type

   The “/samba” directory and all files beneath it will be labeled accordingly with an specific type: “user_samba_t”. We will create the “/etc/selinux/targeted/src/policy/file_contexts/misc/custom.fc” file with the following line:

   /samba(/.*)? system_u:object_r:user_samba_t

   which means “the /samba directory and any file beneath it, will be labeled as system_u:object_r:user_samba_t”.

2. Define a SELinux type used to label the public Samba files

   Next, we need to create the “system_u:object_r:user_samba_t” type as a normal file. We will create “/etc/selinux/targeted/src/policy/types/custom.fc” with the following line:

   type user_samba_t, file_type, sysadmfile;

3. Allow the Samba daemon process to access Samba public files with no restrictions

   Finally, we need to explicitly allow “smbd” to be able to read, write, lock and get attributes for any file located beneath “/samba”. Also, we need to allow “smbd” to be able to search, read, write, lock and get attributes for any directory beneath “/samba”. We will create “/etc/selinux/targeted/src/policy/domains/misc/custom.te” with the following lines:

   allow smbd_t user_samba_t:dir { search read write rename getattr
setattr lock add_name create remove_name rmdir };
allow smbd_t user_samba_t:file { read write rename getattr setattr
lock create unlink };

   The previous permissions were obtained by trial-and-error due to the fine-grained granularity of SELinux permissions: I tried creating a new directory, renaming a directory, removing a directory, creating a file, renaming a file.

4. Compile and load the resulting SELinux policy

   Once the previous changed are made, we need to run the following commands:

   cd /etc/selinux/targeted/src/policy
make load

   Should the last command run with no errors, the new policy will be compiled and loaded into memory. The final step is checking that Samba is working, and we can access all the public files from a remote computer with no problems at all.