getting SAMBA to work with SELinux set to enforcing targeted
getting SAMBA to work with SELinux set to enforcing targeted
A default install of centos 7.6 from dvd has SELINUX = enforcing and SELINUXTYPE=targeted in /etc/selinux/config.
If i do a basic samba share with selinux set as enforcing I am denied... from Windows I can do \\mylinuxserver and see the shared folder. But when I try to enter that shared folder I get a popup in windows saying Access Denied Contact your administrator.
If i set selinux to permissive, samba will then work and I can observe real-time entries in /var/log/audit/audit.log with type AVC, however that does not help me at this point I don't understand selinux enough.
I need to selinux label the folders I decide to samba share out, with some selinux samba label so selinux knows it's ok for samba to give access to those folders? How do I do that?
If i do a basic samba share with selinux set as enforcing I am denied... from Windows I can do \\mylinuxserver and see the shared folder. But when I try to enter that shared folder I get a popup in windows saying Access Denied Contact your administrator.
If i set selinux to permissive, samba will then work and I can observe real-time entries in /var/log/audit/audit.log with type AVC, however that does not help me at this point I don't understand selinux enough.
I need to selinux label the folders I decide to samba share out, with some selinux samba label so selinux knows it's ok for samba to give access to those folders? How do I do that?
Re: getting SAMBA to work with SELinux set to enforcing targeted
See the instructions in /etc/samba/smb.conf.example
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: getting SAMBA to work with SELinux set to enforcing targeted
hmm, deja vu
All i needed to do was
Code: Select all
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the useradd and groupadd family of binaries.
# Run the following command as the root user to turn this Boolean on:
setsebool -P samba_domain_controller on
# Turn the samba_enable_home_dirs Boolean on if you want to share homedirectories via Samba.
# Run the following command as the root user to turn this Boolean on:
setsebool -P samba_enable_home_dirs on
# If you create a new directory, such as a new top-level directory, label it with samba_share_t
# so that SELinux allows Samba to read and write to it.
# Do not label system directories, such as /etc/ and /home/ with samba_share_t, as such directories should already have an SELinux label.
#
chcon -t samba_share_t /path/to/directory
# Changes made via chcon are lost when the file system is relabeled or commands such as restorecon are run.
# Run "ls -ldZ /path/to/directory" to view the current SELinux label for a given directory.
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system directories.
# To share such directories and only allow read-only permissions: setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions: setsebool -P samba_export_all_rw on
- setsebool -P samba_domain_controller on
- setsebool -P samba_enable_home_dirs on
- chcon -t samba_share_t /data1
Code: Select all
/etc/samba/smb.conf
[data1]
path = /data1
read only = No
inherit acls = Yes
create mask = 660
directory mask = 770
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: getting SAMBA to work with SELinux set to enforcing targeted
This is not permanent and after relabel you will have a problem.chcon -t samba_share_t /data1
Run:
Code: Select all
semanage fcontext -a -t samba_share_t "/data1(/.*)?" && restorecon -rv /data1
Re: getting SAMBA to work with SELinux set to enforcing targeted
thanks. i remember seeing that statement about it not being persistent.
But if selinux starts from day 1 as enforcing, and never changes from enforcing, does that mean I would never be doing an selinux relabel and it would not be an issue?
when & why would someone need to do an selinux relabel, and what exactly is happening?
But if selinux starts from day 1 as enforcing, and never changes from enforcing, does that mean I would never be doing an selinux relabel and it would not be an issue?
when & why would someone need to do an selinux relabel, and what exactly is happening?
Re: getting SAMBA to work with SELinux set to enforcing targeted
I am finding that
per RHEL documentation that from the disabled state, need to go to permissive first prior to going to enforcing. Easy enough.
After that is done
Code: Select all
running on selinux = disabled
edit /etc/selinux/config selinux = permissive
touch /.autorelabel
reboot
edit /etc/selinux/config selinux = enforcing
touch /.autorelabel
reboot
After that is done
- getsebool samba_domain_controller = OFF
- getsebool samba_enable_home_dirs = OFF
- have to do setsebool -P samba_domain_controller on and setsebool -P samba_enable_home_dirs on again to get my home shares to work
- this is with the following in /etc/samba/smb.conf
Code: Select all
[homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes create mask = 660 directory mask = 770
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: getting SAMBA to work with SELinux set to enforcing targeted
Usually, I do a relabel when i had skipped several versions of selinux & selinux-targeted rpms - just to be on the safe side.
Re: getting SAMBA to work with SELinux set to enforcing targeted
Consider the day you need to restore something from backup. Maybe on that day you will have forgotten about this tiny detail. Are you sure all selinux context attributes are restored correctly when restoring from backup? On that day you may want to do a relabel or a restoreconBut if selinux starts from day 1 as enforcing, and never changes from enforcing, does that mean I would never be doing an selinux relabel and it would not be an issue?
when & why would someone need to do an selinux relabel, and what exactly is happening?