[FC5] Samba and SELinux

Dan Thurman dant at cdkkt.com
Thu Apr 6 17:36:17 UTC 2006 

On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote:
> On Wed, 2006-04-05 at 13:26 -0700, Dan Thurman wrote:
> > On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote:
> > > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote:
> > > > Folks,
> > > > 
> > > > What is the procedure for creating Samba shares and
> > > > getting around the SELinux issues?
> > > > 
> > > > Samba by default no longer works with shares such
> > > > as [homes] and any other added shares without administrator
> > > > intervention to add SELinux labels on share directories.
> > > > 
> > > > Please direct me to the FAQ for Samba & SELinux or
> > > > please tell me what I have to do to get samba shares
> > > > working.
> > > > 
> > > > In my case - I am getting permission denied in the audit
> > > > logs and in the message logs for nmbd, I am getting
> > > > directories do not exists errors (when they actually
> > > > do!).
> > > 
> > > /usr/sbin/setsebool -P samba_enable_home_dirs=1
> > > /usr/sbin/setsebool -P smbd_disable_trans=1
> > > 
> > > That's what I had to do to get samba working with home shares on FC5.
> > > 
> > > Bob
> > > 
> > 
> > Thanks for the response!  Yes, I did that for [home] but
> > the problem is what to do with: /var/www
> > 
> > There are many different contexts for this directory and all
> > the files under it and I was not sure how to make this directory
> > a samba share without blowing away the original context in fear
> > of breaking it all to bits.
> > 
> > I want to keep all the original context AND add samba share context
> > OR the public_share_rw_t as Stephen Smalley recommended but I was
> > not sure how to do that.  This is the question I asked of Mr Smalley
> > and I am waiting to hear of his response.
> 
> You can't have multiple contexts for a file, so it's not possible AFAIK
> to have both the original context *and* public_content_rw_t.
> 
> If your web server is only serving static data (nothing that requires
> write access to /var/www for the web server itself), you could
> relabel /var/www/* as public_content_t. If you have internal scripting
> like PHP that needs write access, you could use public_content_rw_t.
> 
> However, if you're using cgi scripts that currently need
> httpd_script_exec_t, you'd need to generate a local policy module that
> allowed samba to read/write the httpd_* types.
> 
> Paul.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Ugh...  I am too stupid to figure this out.

Can someone give me some examples, step-by-step how I can do it?

Steps perform IN ORDER listed:
1) relabel /var/www
   a) chcon -R -t public_content_t /var/www
   b) chcon -R -t public_content_rw_t /var/www/html/php  (hypothetical
PHP area)
2) Local policy rules
   a) ????  I have no clue how to do this step!

Thanks!
Dan

More information about the selinux mailing list