14.4. Configuration examples
The following examples provide real-world demonstrations of how SELinux complements the Samba server and how full function of the Samba server can be maintained.
14.4.1. Sharing directories you create
The following example creates a new directory, and shares that directory through Samba:
- Confirm that the samba, samba-common, and samba-client packages are installed:
~]$
rpm -q samba samba-common samba-client
package samba is not installed package samba-common is not installed package samba-client is not installedIf any of these packages are not installed, install them by using theyum
utility as root:~]#
yum install package-name
- Use the
mkdir
utility as root to create a new top-level directory to share files through Samba:~]#
mkdir /myshare
- Use the
touch
utility root to create an empty file. This file is used later to verify the Samba share mounted correctly:~]#
touch /myshare/file1
- SELinux allows Samba to read and write to files labeled with the
samba_share_t
type, as long as the/etc/samba/smb.conf
file and Linux permissions are set accordingly. Enter the following command as root to add the label change to file-context configuration:~]#
semanage fcontext -a -t samba_share_t "/myshare(/.*)?"
- Use the
restorecon
utility as root to apply the label changes:~]#
restorecon -R -v /myshare
restorecon reset /myshare context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0 restorecon reset /myshare/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0 - Edit
/etc/samba/smb.conf
as root. Add the following to the bottom of this file to share the/myshare/
directory through Samba:[myshare] comment = My share path = /myshare public = yes writable = no
- A Samba account is required to mount a Samba file system. Enter the following command as root to create a Samba account, where username is an existing Linux user. For example,
smbpasswd -a testuser
creates a Samba account for the Linuxtestuser
user:~]#
smbpasswd -a testuser
New SMB password: Enter a password Retype new SMB password: Enter the same password again Added user testuser.If you enter the above command, specifying a user name of an account that does not exist on the system, it causes aCannot locate Unix account for 'username'!
error. - Start the Samba service:
~]#
systemctl start smb.service
- Enter the following command to list the available shares, where username is the Samba account added in step 7. When prompted for a password, enter the password assigned to the Samba account in step 7 (version numbers may differ):
~]$
smbclient -U username -L localhost
Enter username's password: Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6] Sharename Type Comment --------- ---- ------- myshare Disk My share IPC$ IPC IPC Service (Samba Server Version 3.4.0-0.41.el6) username Disk Home Directories Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6] Server Comment --------- ------- Workgroup Master --------- ------- - Use the
mkdir
utility as root to create a new directory. This directory will be used to mount themyshare
Samba share:~]#
mkdir /test/
- Enter the following command as root to mount the
myshare
Samba share to/test/
, replacing username with the user name from step 7:~]#
mount //localhost/myshare /test/ -o user=username
Enter the password for username, which was configured in step 7. - Enter the following command to view the
file1
file created in step 3:~]$
ls /test/
file1
14.4.2. Sharing a website
It may not be possible to label files with the
samba_share_t
type, for example, when wanting to share a website in the /var/www/html/
directory. For these cases, use the samba_export_all_ro
Boolean to share any file or directory (regardless of the current label), allowing read only permissions, or the samba_export_all_rw
Boolean to share any file or directory (regardless of the current label), allowing read and write permissions.
The following example creates a file for a website in
/var/www/html/
, and then shares that file through Samba, allowing read and write permissions. This example assumes the httpd, samba, samba-common, samba-client, and wget packages are installed:
- As the root user, create a
/var/www/html/file1.html
file. Copy and paste the following content into this file:<html> <h2>File being shared through the Apache HTTP Server and Samba.</h2> </html>
- Enter the following command to view the SELinux context of
file1.html
:~]$
ls -Z /var/www/html/file1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1.htmlThe file is labeled with thehttpd_sys_content_t
. By default, the Apache HTTP Server can access this type, but Samba cannot. - Start the Apache HTTP Server:
~]#
systemctl start httpd.service
- Change into a directory your user has write access to, and enter the following command. Unless there are changes to the default configuration, this command succeeds:
~]$
wget http://localhost/file1.html
Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 84 [text/html] Saving to: `file1.html.1' 100%[=======================>] 84 --.-K/s in 0s `file1.html.1' saved [84/84] - Edit
/etc/samba/smb.conf
as root. Add the following to the bottom of this file to share the/var/www/html/
directory through Samba:[website] comment = Sharing a website path = /var/www/html/ public = no writable = no
- The
/var/www/html/
directory is labeled with thehttpd_sys_content_t
type. By default, Samba cannot access files and directories labeled with the this type, even if Linux permissions allow it. To allow Samba access, enable thesamba_export_all_ro
Boolean:~]#
setsebool -P samba_export_all_ro on
Do not use the-P
option if you do not want the change to persist across reboots. Note that enabling thesamba_export_all_ro
Boolean allows Samba to access any type. - Start the Samba service:
~]#
systemctl start smb.service