configuring samba with selinux enabled

General support questions
Post Reply
ron7000
Posts: 69
Joined: 2019/01/15 20:00:28

configuring samba with selinux enabled

Post by ron7000 » 2019/05/13 17:35:56

I tried to get samba working as simply as possible

Code: Select all

/etc/samba.smb.conf

[global]
        security = user
        passdb backend = tdbsam
[data]
        path=/data
from windows 7 or windows 10, I get a denied popup. Suspecting SELINUX being the culprit...

Code: Select all

/etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

#SELINUX=enforcing

SELINUX=disabled

# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
by default sestatus reports enforcing
if I modifiy /etc/sestatus/config and set SELINUX=disabled (or permissive) then reboot, samba works.

What is the correct way to have SELINUX as enforcing and have samba work?

Is there any kind of documentation or manual for SELINUX for Redhat/CentOS 7.x ?
thanks.

User avatar
TrevorH
Forum Moderator
Posts: 25806
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: configuring samba with selinux enabled

Post by TrevorH » 2019/05/13 17:41:53

You can switch between permissive and enforcing modes just by running the setenforce 0|1 commands.

The default /etc/samba/smb.conf that we ship contains instructions on how to get it to work with selinux enabled.

Code: Select all

#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
# and groupadd family of binaries. Run the following command as the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

ron7000
Posts: 69
Joined: 2019/01/15 20:00:28

Re: configuring samba with selinux enabled

Post by ron7000 » 2019/05/13 18:04:05

ahaa! /etc/samba/smb.conf.example

smb.conf has just

Code: Select all

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
I also just found https://wiki.centos.org/HowTos/SELinux

thanks!

Post Reply