SELinux, Samba, rsync and (maybe) others

Posted on 31. August 2011 by missing_link

Those who installed Samba on Fedora or any other SELinux enabled distribution may have faced the problem when they actually cannot access any Samba shares from their Windows machines. Samba logs in /var/samba/log may show lots of such messages:

[2007/07/03 16:37:44, 0] smbd/service.c:make_connection_snum(911)
'/opt/blah' does not exist or permission denied when connecting to
[blah]   Error was Permission denied
  • This is probably an SELinux problem and to fix it you’ll need to execute:
    • chcon -R -t samba_share_t /opt
  • That would be correctly like that if you only samba needs, but if you use other services like rsync or such who are public, you better use the following string:
    • chcon -R -t public_content_t  /opt
  • In order to survive a relabel add these lines to /etc/selinux/targeted/contexts/files/file_contexts file (if you are using targeted policy): 
    /opt(/.*)?  system_u:object_r:samba_share_t:s0
  • Or evenly
    • /opt(/.*)?  system_u:object_r:public_content_t:s0
  • Execute: 
    restorecon -v -R /opt/

    • This will set appropriate SELinux context on all files in /opt directory and SELinux won’t prevent Samba access anymore.

     

  • To allow Samba read/write to directories with SELinux execute the following:
    • setsebool -P samba_export_all_rw 1
  • To allow Samba to share your home directories with SELinux execute the following:
    • setsebool -P samba_enable_home_dirs 1

About missing_link

Nietzsche is dead.
This entry was posted in CentOS, Fedora, Linux, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.