getting SAMBA to work with SELinux set to enforcing targeted

Issues related to applications and software problems
Post Reply
ron7000
Posts: 103
Joined: 2019/01/15 20:00:28

getting SAMBA to work with SELinux set to enforcing targeted

Post by ron7000 » 2019/05/20 14:51:53

A default install of centos 7.6 from dvd has SELINUX = enforcing and SELINUXTYPE=targeted in /etc/selinux/config.

If i do a basic samba share with selinux set as enforcing I am denied... from Windows I can do \\mylinuxserver and see the shared folder. But when I try to enter that shared folder I get a popup in windows saying Access Denied Contact your administrator.

If i set selinux to permissive, samba will then work and I can observe real-time entries in /var/log/audit/audit.log with type AVC, however that does not help me at this point I don't understand selinux enough.

I need to selinux label the folders I decide to samba share out, with some selinux samba label so selinux knows it's ok for samba to give access to those folders? How do I do that?

User avatar
TrevorH
Forum Moderator
Posts: 26312
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: getting SAMBA to work with SELinux set to enforcing targeted

Post by TrevorH » 2019/05/20 15:17:34

See the instructions in /etc/samba/smb.conf.example
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

ron7000
Posts: 103
Joined: 2019/01/15 20:00:28

Re: getting SAMBA to work with SELinux set to enforcing targeted

Post by ron7000 » 2019/05/20 19:24:30

hmm, deja vu

Code: Select all

# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the useradd and groupadd family of binaries.
# Run the following command as the root user to turn this Boolean on:

setsebool -P samba_domain_controller on


# Turn the samba_enable_home_dirs Boolean on if you want to share homedirectories via Samba.
# Run the following command as the root user to turn this Boolean on:

setsebool -P samba_enable_home_dirs on



# If you create a new directory, such as a new top-level directory, label it with      samba_share_t
# so that SELinux allows Samba to read and write to it.
# Do not label system directories, such as /etc/ and /home/ with samba_share_t, as such directories should already have an SELinux label.
#

chcon -t samba_share_t /path/to/directory


# Changes made via chcon are lost when the file system is relabeled or commands such as restorecon are run.
# Run     "ls -ldZ /path/to/directory"    to view the current SELinux label for a given directory.

# Use the      samba_export_all_ro     or     samba_export_all_rw     Boolean to share system directories.
# To share such directories and only allow read-only permissions:         setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:         setsebool -P samba_export_all_rw on
All i needed to do was
  • setsebool -P samba_domain_controller on
  • setsebool -P samba_enable_home_dirs on
  • chcon -t samba_share_t /data1
samba now working with folders such as "ron" from under /home/ and also /data1/ which is explicitly shared out in /etc/samba/smb.conf

Code: Select all

/etc/samba/smb.conf

[data1]
        path = /data1
        read only = No
        inherit acls = Yes
        create mask = 660
        directory mask = 770

hunter86_bg
Posts: 1864
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: getting SAMBA to work with SELinux set to enforcing targeted

Post by hunter86_bg » 2019/05/21 04:14:49

chcon -t samba_share_t /data1
This is not permanent and after relabel you will have a problem.

Run:

Code: Select all

semanage fcontext -a -t samba_share_t "/data1(/.*)?" && restorecon -rv /data1

ron7000
Posts: 103
Joined: 2019/01/15 20:00:28

Re: getting SAMBA to work with SELinux set to enforcing targeted

Post by ron7000 » 2019/05/22 17:55:00

thanks. i remember seeing that statement about it not being persistent.

But if selinux starts from day 1 as enforcing, and never changes from enforcing, does that mean I would never be doing an selinux relabel and it would not be an issue?

when & why would someone need to do an selinux relabel, and what exactly is happening?

ron7000
Posts: 103
Joined: 2019/01/15 20:00:28

Re: getting SAMBA to work with SELinux set to enforcing targeted

Post by ron7000 » 2019/05/22 19:44:15

I am finding that

Code: Select all

running on selinux = disabled
edit /etc/selinux/config    selinux = permissive
touch /.autorelabel
reboot
edit /etc/selinux/config    selinux = enforcing
touch /.autorelabel
reboot
per RHEL documentation that from the disabled state, need to go to permissive first prior to going to enforcing. Easy enough.

After that is done
  • getsebool samba_domain_controller = OFF
  • getsebool samba_enable_home_dirs = OFF
  • have to do setsebool -P samba_domain_controller on and setsebool -P samba_enable_home_dirs on again to get my home shares to work
  • this is with the following in /etc/samba/smb.conf

    Code: Select all

    [homes]
            comment = Home Directories
            valid users = %S, %D%w%S
            browseable = No
            read only = No
            inherit acls = Yes
            create mask = 660
            directory mask = 770
    

hunter86_bg
Posts: 1864
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: getting SAMBA to work with SELinux set to enforcing targeted

Post by hunter86_bg » 2019/05/24 06:35:36

Usually, I do a relabel when i had skipped several versions of selinux & selinux-targeted rpms - just to be on the safe side.

pjsr2
Posts: 425
Joined: 2014/03/27 20:11:07

Re: getting SAMBA to work with SELinux set to enforcing targeted

Post by pjsr2 » 2019/05/24 10:43:03

But if selinux starts from day 1 as enforcing, and never changes from enforcing, does that mean I would never be doing an selinux relabel and it would not be an issue?

when & why would someone need to do an selinux relabel, and what exactly is happening?
Consider the day you need to restore something from backup. Maybe on that day you will have forgotten about this tiny detail. Are you sure all selinux context attributes are restored correctly when restoring from backup? On that day you may want to do a relabel or a restorecon

Post Reply