SAMBA and SELINUX -Things you need to know

I decided to setup Samba using one of my existing Linux servers utilizing Fedora Core 9. I have a filer (OpenFiler) that I use for most of my storage but I like to have a “backup” system to send files to. My first problem setting up Samba was permission denied at directories to which I knew the permissions were set correctly. After some digging and trial and error I found out the SELinux was the issue denying access. The smb.conf file clearly states what is required to set the proper permissions but if you use Webmin or other samba admin interface so you may not see the instructions unless you go digging.

If you create your own directory to place files in you will have to use the  chcon -t samba_share_t /path command to prepare it so SElinux will allow Samba to access it. Additionaly if you want to setup home drives you will have to “turn them on” for SELinux by using the setsebool -P samba_enable_home_dirs on command.

SELinux is a great security tool to leave enabled but is somewhat troublesome when things just don’t seem to work correctly. With a little digging (or Googling) and patience you will be glad you left SELinux enabled.
Here is the SELinux snippit, important commands are BOLD:

# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
# If you create a new directory you want to share you should mark it as
# “samba-share_t” so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
# Use ls -ldZ /path to see which context a directory has
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
# If you want to run scripts (preexec/root prexec/print command/…) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts


No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: