?

Log in

No account? Create an account

Previous Entry Share Next Entry
Confining Samba with SELinux
danwalsh
My next few blogs will be taking different confined domains and writing about the types and booleans related to that domain, I will be updating the man pages for these confined domains.  And then showing how the policy for the domain works.

samba has had a man page available for some time named samba_selinux, here is my rewrite for Fedora 7/8

> man samba_selinux

samba_selinux(8)      Samba Selinux Policy documentation      samba_selinux(8)

NAME
       samba_selinux - Securing Samba with SELinux

DESCRIPTION
       Security-Enhanced  Linux  secures  the Samba server via flexible mandatory access control.  SELinux Samba policy defaults to least privilege access.  Several Booleans and file contexts are available to customize the way Samba SELinux works.

SHARING FILES
       SELinux requires files be labeled with an extended attribute to define the file type.  Policy governs the access daemons have to these files. When sharing files with Samba you have many options  on  how  to label the files.  If you want to share files/directories other than home directories or standard directory.  You should label these files/directories as samba_share_t.  For example if you created the directory /var/eng, you can label the directory and its contents with the chcon tool.

       # chcon -R -t samba_share_t /var/eng

       This label will not survive a relabel.  A better solution to make the change permanent, you must tell the SELinux system about the label customization.  The semanage command can customize the  default  file contexts on your machine. restorecon will read the file_context and apply it to the files and directories..

       # semanage fcontext -a -t samba_share_t ’/var/eng(/.*)?’
       # restorecon -R -v /var/eng

SHARING HOME DIRECTORIES
       By  default  SELinux  policy  turns  off  SELinux  sharing  of  home  directories  If  you  are  setting  up  this  machine  as  a  Samba  server  and wish to share the home directories, you need to set the        samba_enable_home_dirs boolean.

       # setsebool -P samba_enable_home_dirs 1

SHARING PUBLIC FILES
       If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above  domains  to  read
       the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:

       # semanage fcontext -a -t public_content_rw_t ’/var/eng(/.*)?’
       # restorecon -R -v /var/eng
       # setsebool -P allow_smbd_anon_write 1

SHARING FILES SYSTEM FILES
       Note:  You  should  not  do  the above for standard directories or home directories!  For example directories owned by an RPM.  If you wanted to share /usr via Samba, changing its context and all of the sub directories  to samba_share_t would be a bad idea.  Other confined domains would no longer be able to read /usr and this would cause havoc on the machine.  There are two booleans that you can set  to  allow the sharing of standard directories.  If you want to share any standard directory read/only you can set the boolean samba_export_all_ro.

       # setsebool -P samba_export_all_ro 1

       This boolean will allow Samba to read every file on the system.Similarly if you want to share all files and directories via Samba, you set the samba_export_all_rw

       # setsebool -P samba_export_all_rw 1

       This boolean would allow Samba to read and write every file on your system.  So a compromised Samba server would be very dangerous.

SHARING PUBLIC NFS FILES
       SELinux prevents the Samba daemons from reading/writing nfs shares by default.  If you are using samba to share NFS file systems you need to turn on the samba_share_nfs boolean

       # setsebool -P samba_share_nfs 1

USING CIFS/SAMBA HOME DIRECTORIES
       Samba  SELinux  policy will not allow any confined applications to access remote samba shares mounted on your machine.  If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.

       # setsebool -P use_samba_home_dirs 1

SAMBA Scripts
       Samba can be setup to run user defined scripts, by default if you install these scripts /var/lib/samba/scripts they will be labeled samba_unconfined_script_exec_t.  Since these scripts  can  do  just  about  anything on the system you can run them as unconfined.  But you need to turn on the samba_run_unconfined boolean

       # setsebool -P samba_run_unconfined 1

       If  you  are  willing  to  write  policy  an  interface  exists  in  samba.if  called  samba_helper_template(APP).   This  interface  will  create  a file context of samba_APP_script_exec_t, and a domain of samba_APP_script_t. Samba will transition scripts labeled samba_app_script_exec_t to samba_APP_script_t, you can then user audit2allow to write policy to confine your script.

USING SAMBA AS A DOMAIN CONTROLLER
       If you want to run samba as a domain controller, IE Add machines to the passwd file on a Linux box, you need to turn on the samba_domain_controller boolean.  This allows the Samba daemon to run and  transition to the passwd, useradd, and groupadd utilities.  These tools can manipulate the passwd database.

GUI system-config-selinux
       system-config-selinux is a GUI tool available to customize all of the SELinux booleans and file context described above.

AUTHOR
       This manual page was written by Dan Walsh <dwalsh@redhat.com>.

SEE ALSO
       selinux(8), semanage(8), samba(7), chcon(1), setsebool(8), restorecon(8),

dwalsh@redhat.com                 9 Nov 2007                  samba_selinux(8)

  • 1
Thanks. I should also write man pages for my modules.
Semange should be replaced with semanage.

Bad selinux-policy f8 package

(Anonymous)
[admin@localhost ~]$ man samba_selinux
No manual entry for samba_selinux
[admin@localhost ~]$ rpm -q -l selinux_policy | grep /usr/share/man
[admin@localhost ~]$ rpm -q -l selinux-policy | grep /usr/share/man
/usr/share/man/man
/usr/share/man/man/man8
/usr/share/man/man/man8/ftpd_selinux.8.gz
/usr/share/man/man/man8/httpd_selinux.8.gz
/usr/share/man/man/man8/kerberos_selinux.8.gz
/usr/share/man/man/man8/named_selinux.8.gz
/usr/share/man/man/man8/nfs_selinux.8.gz
/usr/share/man/man/man8/nis_selinux.8.gz
/usr/share/man/man/man8/rsync_selinux.8.gz
/usr/share/man/man/man8/samba_selinux.8.gz
/usr/share/man/man/man8/ypbind_selinux.8.gz
/usr/share/man/man/ru
/usr/share/man/man/ru/man8
/usr/share/man/man/ru/man8/ftpd_selinux.8.gz
/usr/share/man/man/ru/man8/httpd_selinux.8.gz
/usr/share/man/man/ru/man8/kerberos_selinux.8.gz
/usr/share/man/man/ru/man8/named_selinux.8.gz
/usr/share/man/man/ru/man8/nfs_selinux.8.gz
/usr/share/man/man/ru/man8/rsync_selinux.8.gz
/usr/share/man/man/ru/man8/samba_selinux.8.gz
/usr/share/man/man/ru/man8/ypbind_selinux.8.gz
[admin@localhost ~]$


Should be /usr/share/man/man8, not /usr/share/man/man/man8 .

some typos

(Anonymous)
semange should be semanage I guess ;)

WaW

(Anonymous)
Register on http://www.w-aw.com to get the latest Scripts, Templates, Applications, Videos, Movies, Music, Songs, Script Packs, Plugins, Components, Tools e.g. Seo Tools, Windows, Webmaster Tools, Linux, Free cool Wallpaper, Graphics and designs, Online movies to watch online with out downloading, Also you can advertice in out site with Icon/Link Exchange, We can review your site, and Also Promote it. WaW has more then a 1000+ topics for you to look at.
www.W-aW.com

Thanks for the advice.

John.

Great advice man - really helpful.

Thank you
Bob
Rent-a-Website

Brilliant - couldn't work out why I could see the folders but not the files themselves. I had upgraded from Fedora 8 to 12 and was trying to re-create my server shares and it was driving me mad!

Many, many thanks.

Hi Dan,
If it were this simple, people would like SELinux, I am learning to hate it.

SELinux will block access to share folders created on drives mounted in /mnt/ or /media/

There is no seemingly logical way to allow access.


# semanage fcontext -a -t samba_share_t ’/var/eng(/.*)?’
# restorecon -R -v /var/eng


Does not work. Even if a folder is marked as a samba share to SELinux, it is still blocked by some obscure rule which you don't cover here, which is not covered in any online documentation I have found nor in any of the examples or explanations online.

Ergo, the final solution is to disable SELinux altogether, or to allow samba access to all files using a boolean.





Re: This doesn't work

You could mount them with a context mount.

context="system_u:object_r:samba_share_t:s0"


man mount
...
context=context, fscontext=context, defcontext=context, and
rootcontext=context
The context= option is useful when mounting filesystems that do
not support extended attributes, such as a floppy or hard disk
formatted with VFAT, or systems that are not normally running
under SELinux, such as an ext3 or ext4 formatted

disk from a non-SELinux workstation. You can also use context=
on filesystems you do not trust, such as a floppy. It also
helps in compatibility with xattr-supporting filesystems on ear‐
lier 2.4. kernel versions. Even where xattrs are supported,
you can save time not having to label every file by assigning
the entire disk one security context.

A commonly used option for removable media is
context="system_u:object_r:removable_t".

...

Re: This doesn't work

Hi Dan,
Thanks for getting back. I wasted half a day on this, more even.

I use Fedora daily, but this is my first attempt at using it to set up a server with it.

The drives in question are partitioned and formatted XFS. They are mounted in /mnt. Sometime earlier I did get one drive to work, a file on it is shareable, but, unfortunately I don't know exactly how.

This is what is so frustrating, it's like it's acting illogically.

I have tried editing fstab with various contexts - no luck. Even duplicating that which the working drive acquired during my fiddling.

tried context, fscontext - giving the entire mount point that context, mounting in the root partition, in home, nothing works.


context="system_u:object_r:samba_share_t:s0"

Doesn't work, that was my first guess.

I am on a reinstall right now - same issue!

Dan, this is like trying to decode Linear A...why was a a security tool designed with poisonous barbs on the handle?



Re: This doesn't work

Contact me via Email dwalsh@redhat.com

We can talk this out. Please write up exactly what you want.

SELinux context kill systemd

Hi,
I am asking about Fedora Server.

Mounting drives with this context: context=“system_u:object_r:samba_share_t:s0”

Causes issues with anything to do with sudo, systemd causing timeouts with the latter. Oddly, the problem is not resolved by disabling SELinux.

Mounting without the context works fine, but, I need this context as the drives are to be used as samba shares.

Additionally, the exact same lines in fstab worked a week ago.

Mounting with SELinux context means, for example, hostnamectl status will hang, eventually to return:
Failed to query system properties: Connection timed out

systemctl daemon-reload hangs, and returns Failed to reload daemon: Method call timed out

Re: SELinux context kill systemd

Andy please open a bugzilla on this.

  • 1