2.4.3. Sharing files between services
Type Enforcement helps prevent processes from accessing files intended for use by another process. For example, by default, Samba cannot read files labeled with the
httpd_sys_content_t
type, which are intended for use by the Apache HTTP Server. Files can be shared between the Apache HTTP Server, FTP, rsync, and Samba, if the desired files are labeled with the public_content_t
or public_content_rw_t
type.
The following example creates a directory and files, and allows that directory and files to be shared (read only) through the Apache HTTP Server, FTP, rsync, and Samba:
- Run the
mkdir /shares
command as the root user to create a new top-level directory to share files between multiple services. - Files and directories that do not match a pattern in file-context configuration may be labeled with the
default_t
type. This type is inaccessible to confined services:~]$
ls -dZ /shares
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /shares - As the root user, create a
/shares/index.html
file. Copy and paste the following content into/shares/index.html
:<html> <body> <p>Hello</p> </body> </html>
- Labeling
/shares/
with thepublic_content_t
type allows read-only access by the Apache HTTP Server, FTP, rsync, and Samba. Run the following command as the root user to add the label change to file-context configuration:~]#
semanage fcontext -a -t public_content_t "/shares(/.*)?"
- Run the
restorecon -R -v /shares/
command as the root user to apply the label changes:~]#
restorecon -R -v /shares/
restorecon reset /shares context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0 restorecon reset /shares/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
To share
/shares/
through Samba:
- Run the
rpm -q samba samba-common samba-client
command to confirm the samba, samba-common, and samba-client packages are installed (version numbers may differ):~]$
rpm -q samba samba-common samba-client
samba-3.4.0-0.41.el6.3.i686 samba-common-3.4.0-0.41.el6.3.i686 samba-client-3.4.0-0.41.el6.3.i686If any of these packages are not installed, install them by running theyum install package-name
command as the root user. - Edit
/etc/samba/smb.conf
as the root user. Add the following entry to the bottom of this file to share the/shares/
directory through Samba:[shares] comment = Documents for Apache HTTP Server, FTP, rsync, and Samba path = /shares public = yes writable = no
- A Samba account is required to mount a Samba file system. Run the
smbpasswd -a username
command as the root user to create a Samba account, where username is an existing Linux user. For example,smbpasswd -a testuser
creates a Samba account for the Linuxtestuser
user:~]#
smbpasswd -a testuser
New SMB password: Enter a password Retype new SMB password: Enter the same password again Added user testuser.Runningsmbpasswd -a username
, where username is the user name of a Linux account that does not exist on the system, causes aCannot locate Unix account for 'username'!
error. - Run the
service smb start
command as the root user to start the Samba service:~]#
service smb start
Starting SMB services: [ OK ] - Run the
smbclient -U username -L localhost
command to list the available shares, where username is the Samba account added in step 3. When prompted for a password, enter the password assigned to the Samba account in step 3 (version numbers may differ):~]$
smbclient -U username -L localhost
Enter username's password: Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6] Sharename Type Comment --------- ---- ------- shares Disk Documents for Apache HTTP Server, FTP, rsync, and Samba IPC$ IPC IPC Service (Samba Server Version 3.4.0-0.41.el6) username Disk Home Directories Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6] Server Comment --------- ------- Workgroup Master --------- ------- - Run the
mkdir /test/
command as the root user to create a new directory. This directory will be used to mount theshares
Samba share. - Run the following command as the root user to mount the
shares
Samba share to/test/
, replacing username with the user name from step 3:~]#
mount //localhost/shares /test/ -o user=username
Enter the password for username, which was configured in step 3. - Run the
cat /test/index.html
command to view the file, which is being shared through Samba:~]$
cat /test/index.html
<html> <body> <p>Hello</p> </body> </html>
To share
/shares/
through the Apache HTTP Server:
- Run the
rpm -q httpd
command to confirm the httpd package is installed (version number may differ):~]$
rpm -q httpd
httpd-2.2.11-6.i386If this package is not installed, run theyum install httpd
command as the root user to install it. - Change into the
/var/www/html/
directory. Run the following command as the root user to create a link (namedshares
) to the/shares/
directory:~]#
ln -s /shares/ shares
- Run the
service httpd start
command as the root user to start the Apache HTTP Server:~]#
service httpd start
Starting httpd: [ OK ] - Use a web browser to navigate to
http://localhost/shares
. The/shares/index.html
file is displayed.
By default, the Apache HTTP Server reads an
index.html
file if it exists. If /shares/
did not have index.html
, and instead had file1
, file2
, and file3
, a directory listing would occur when accessing http://localhost/shares
:
- Run the
rm -i /shares/index.html
command as the root user to remove theindex.html
file. - Run the
touch /shares/file{1,2,3}
command as the root user to create three files in/shares/
:~]#
touch /shares/file{1,2,3}
~]#ls -Z /shares/
-rw-r--r-- root root system_u:object_r:public_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:public_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:public_content_t:s0 file3 - Run the
service httpd status
command as the root user to see the status of the Apache HTTP Server. If the server is stopped, runservice httpd start
as the root user to start it. - Use a web browser to navigate to
http://localhost/shares
. A directory listing is displayed: