problem with samba and selinux
guys, I have a share on my server which users access through map drive from the Window$ machines; I'm doing this with SAMBA, but the problem is that when I put SELinux in Enforcing mode, it will not let anyone access the share. I have to put it in permisive (I believe that's the correct word). At first the share was not available because I needed to add
Code:
chcon -R -t samba_share_t '/mnt/storage' thanks |
Check your SE Boolean settings:-
Code:
2.6.18-128.4.1.el5[root@www ~]# getsebool -a | grep smb Don't forget to use "setsebool" with the -a option to make your changes permanent. Let me know how you get on. |
Man, I use
Code:
setsebool -P samba_export_all_ro on Code:
SELinux is preventing the samba daemon from accessing a ro file system |
I don't know which distro or version of SELinux you're using, so perhaps you have an older version with a crappy policy.
You could use audit2allow to generate local policy settings that you could then load. I know I've had to do that for some postfix issues, but not Samba. Have you googled the error message from the audit log file? |
Quote:
|
Quote:
Could you post the error from /var/log/audit/audit.log and your smb.conf file? Also, have you tried using setroubleshooter? There's a good chance it will tell you how to allow the behaviour that SELinux is blocking. |
Hi guys I was having the same problem and this is how I solved it.
I don't mount on the typical /mnt I usually create a directory called /space and add disks there. Anyways, I had setup a samba share on /space/backup01 using #chcon -R -t samba_share_t /space/backup01 SELinux just did not let me access it using samba from any windows system. I kept on getting errors saying it was a default_t label yet when I checked with # ls -ldZ /space/backup01 I would see that indeed it was a samba_share_t label. I did several relabels and verified that samba was working correctly by turning off SELinux. Anyways the error message regarding the default_t label keyed me into checking the parent directory's label and sure enough it was default_t I ran #chcon -t samba_share_t /space/ Not using -R so that the other directories in /space would not get a samba label. This did the trick. Now I have samba working with SELinux enforcing. mia_tech, /mnt has a special system label mnt_t. I am not sure how this affects the solution I just described nor am I sure setting /mnt to samba_share_t is a wise choice. Well I hope this helps a little bit. Good luck! |
All times are GMT -5. The time now is 12:51 AM. |