samba_selinux - Security Enhanced Linux Policy for Samba
Security-Enhanced Linux secures the Samba server via flexible mandatory access
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files. If you want to share
files other than home directories, those files must be labeled samba_share_t.
So if you created a special directory /var/eng, you would need to label the
directory with the chcon tool.
- chcon -t samba_share_t /var/eng
- To make this change permanent (survive a relabel), use the
semanage command to add the change to file context configuration:
- semanage fcontext -a -t samba_share_t
- This command adds the following entry to
- /var/eng(/.*)? system_u:object_r:samba_share_t:s0
- Run the restorecon command to apply the changes:
- restorecon -R -v /var/eng/
If you want to share files with multiple domains (Apache, FTP, rsync, Samba),
you can set a file context of public_content_t and public_content_rw_t. These
context allow any of the above domains to read the content. If you want a
particular domain to write to the public_content_rw_t domain, you must set the
appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
setsebool -P allow_smbd_anon_write=1
SELinux policy is customizable based on least access required. So by default
SELinux policy turns off SELinux sharing of home directories and the use of
Samba shares from a remote machine as a home directory.
- If you are setting up this machine as a Samba server and
wish to share the home directories, you need to set the
setsebool -P samba_enable_home_dirs 1
- If you want to use a remote Samba server for the home
directories on this machine, you must set the use_samba_home_dirs
setsebool -P use_samba_home_dirs 1
- system-config-selinux is a GUI tool available to customize
SELinux policy settings.
This manual page was written by Dan Walsh <firstname.lastname@example.org>.
selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)