LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   problem with samba and selinux (https://www.linuxquestions.org/questions/linux-general-1/problem-with-samba-and-selinux-748822/)

mia_tech 08-19-2009 03:21 PM
problem with samba and selinux
 
guys, I have a share on my server which users access through map drive from the Window$ machines; I'm doing this with SAMBA, but the problem is that when I put SELinux in Enforcing mode, it will not let anyone access the share. I have to put it in permisive (I believe that's the correct word). At first the share was not available because I needed to add
Code:
chcon -R -t samba_share_t '/mnt/storage'
, but still was not working, untill I put SELinux in permisive mode; then, it worked fine.... is it possible to make samba work with SELinux in Enforcing mode?

thanks

blacky_5251 08-19-2009 11:58 PM
Check your SE Boolean settings:-
Code:
2.6.18-128.4.1.el5[root@www ~]# getsebool -a | grep smb
allow_smbd_anon_write --> off
smbd_disable_trans --> off
2.6.18-128.4.1.el5[root@www ~]# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> on
samba_share_nfs --> on
use_samba_home_dirs --> on
virt_use_samba --> off
2.6.18-128.4.1.el5[root@www ~]#
These are my settings, and I'm happily working with Samba with SELinux in enforcing mode.

Don't forget to use "setsebool" with the -a option to make your changes permanent.

Let me know how you get on.

mia_tech 08-21-2009 02:43 AM
Man, I use
Code:
setsebool -P samba_export_all_ro on
setsebool -P samba_export_all_rw on
but when I try to access the drive from the network, SELinux is blocking access to the file

Code:
SELinux is preventing the samba daemon from accessing a ro file system
is not a premission issue because when I put SELinux in permisive mode, I can access the share no problem. Beside for troubleshooting measures I gave the share 777 access

blacky_5251 08-21-2009 04:05 PM
I don't know which distro or version of SELinux you're using, so perhaps you have an older version with a crappy policy.

You could use audit2allow to generate local policy settings that you could then load. I know I've had to do that for some postfix issues, but not Samba.

Have you googled the error message from the audit log file?

mia_tech 08-21-2009 07:42 PM
Quote:
Originally Posted by blacky_5251 (Post 3652918)
I don't know which distro or version of SELinux you're using, so perhaps you have an older version with a crappy policy.

You could use audit2allow to generate local policy settings that you could then load. I know I've had to do that for some postfix issues, but not Samba.

Have you googled the error message from the audit log file?
Yes, I have google-ed and I'm working on a few solution. As far as my Linux version, I'm using CentOS 5.3 with all updates installed, so I don't think that would be a problem.

blacky_5251 08-21-2009 09:35 PM
Quote:
As far as my Linux version, I'm using CentOS 5.3 with all updates installed, so I don't think that would be a problem.
Agreed. I'm also using CentOS 5.3 fully patched, so I'm puzzled as to why you're having problems.

Could you post the error from /var/log/audit/audit.log and your smb.conf file?

Also, have you tried using setroubleshooter? There's a good chance it will tell you how to allow the behaviour that SELinux is blocking.

jamturtle 08-29-2009 12:41 PM
Hi guys I was having the same problem and this is how I solved it.
I don't mount on the typical /mnt I usually create a directory called /space and add disks there. Anyways, I had setup a samba share on /space/backup01 using
#chcon -R -t samba_share_t /space/backup01
SELinux just did not let me access it using samba from any windows system. I kept on getting errors saying it was a default_t label yet when I checked with
# ls -ldZ /space/backup01
I would see that indeed it was a samba_share_t label.
I did several relabels and verified that samba was working correctly by turning off SELinux.
Anyways the error message regarding the default_t label keyed me into checking the parent directory's label and sure enough it was default_t
I ran
#chcon -t samba_share_t /space/
Not using -R so that the other directories in /space would not get a samba label.
This did the trick. Now I have samba working with SELinux enforcing.
mia_tech, /mnt has a special system label mnt_t. I am not sure how this affects the solution I just described nor am I sure setting /mnt to samba_share_t is a wise choice.

Well I hope this helps a little bit.

Good luck!


All times are GMT -5. The time now is 12:51 AM.