Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

14.4. Configuration examples

The following examples provide real-world demonstrations of how SELinux complements the Samba server and how full function of the Samba server can be maintained.

14.4.1. Sharing directories you create
Copy link

The following example creates a new directory, and shares that directory through Samba:
  1. Confirm that the samba, samba-common, and samba-client packages are installed: 
    ~]$ rpm -q samba samba-common samba-client
package samba is not installed
package samba-common is not installed
package samba-client is not installed
    Copy to Clipboard Toggle word wrap
    If any of these packages are not installed, install them by using the yum utility as root: 
    ~]# yum install package-nameyum install package-name
    Copy to Clipboard Toggle word wrap
  2. Use the mkdir utility as root to create a new top-level directory to share files through Samba: 
    ~]# mkdir /myshare
    Copy to Clipboard Toggle word wrap
  3. Use the touch utility root to create an empty file. This file is used later to verify the Samba share mounted correctly: 
    ~]# touch /myshare/file1
    Copy to Clipboard Toggle word wrap
  4. SELinux allows Samba to read and write to files labeled with the samba_share_t type, as long as the /etc/samba/smb.conf file and Linux permissions are set accordingly. Enter the following command as root to add the label change to file-context configuration: 
    ~]# semanage fcontext -a -t samba_share_t "/myshare(/.*)?"
    Copy to Clipboard Toggle word wrap
  5. Use the restorecon utility as root to apply the label changes: 
    ~]# restorecon -R -v /myshare
restorecon reset /myshare context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
restorecon reset /myshare/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
    Copy to Clipboard Toggle word wrap
  6. Edit /etc/samba/smb.conf as root. Add the following to the bottom of this file to share the /myshare/ directory through Samba: 
    [myshare]
comment = My share
path = /myshare
public = yes
writable = no
    Copy to Clipboard Toggle word wrap
  7. A Samba account is required to mount a Samba file system. Enter the following command as root to create a Samba account, where username is an existing Linux user. For example, smbpasswd -a testuser creates a Samba account for the Linux testuser user: 
    ~]# smbpasswd -a testuser
New SMB password: Enter a password
Retype new SMB password: Enter the same password again
Added user testuser.
    Copy to Clipboard Toggle word wrap
    If you enter the above command, specifying a user name of an account that does not exist on the system, it causes a Cannot locate Unix account for 'username'! error.
  8. Start the Samba service: 
    ~]# systemctl start smb.service
    Copy to Clipboard Toggle word wrap
  9. Enter the following command to list the available shares, where username is the Samba account added in step 7. When prompted for a password, enter the password assigned to the Samba account in step 7 (version numbers may differ): 
    ~]$ smbclient -U username -L localhostsmbclient -U username -L localhostsmbclient -U username -L localhost
Enter username's password:
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Sharename       Type      Comment
---------       ----      -------
myshare         Disk      My share
IPC$            IPC       IPC Service (Samba Server Version 3.4.0-0.41.el6)
username        Disk      Home Directories
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Server               Comment
---------            -------

Workgroup            Master
---------            -------
    Copy to Clipboard Toggle word wrap
  10. Use the mkdir utility as root to create a new directory. This directory will be used to mount the myshare Samba share: 
    ~]# mkdir /test/
    Copy to Clipboard Toggle word wrap
  11. Enter the following command as root to mount the myshare Samba share to /test/, replacing username with the user name from step 7: 
    ~]# mount //localhost/myshare /test/ -o user=usernamemount //localhost/myshare /test/ -o user=username
    Copy to Clipboard Toggle word wrap
    Enter the password for username, which was configured in step 7.
  12. Enter the following command to view the file1 file created in step 3: 
    ~]$ ls /test/
file1
    Copy to Clipboard Toggle word wrap

14.4.2. Sharing a website
Copy link

It may not be possible to label files with the samba_share_t type, for example, when wanting to share a website in the /var/www/html/ directory. For these cases, use the samba_export_all_ro Boolean to share any file or directory (regardless of the current label), allowing read only permissions, or the samba_export_all_rw Boolean to share any file or directory (regardless of the current label), allowing read and write permissions.
The following example creates a file for a website in /var/www/html/, and then shares that file through Samba, allowing read and write permissions. This example assumes the httpd, samba, samba-common, samba-client, and wget packages are installed:
  1. As the root user, create a /var/www/html/file1.html file. Copy and paste the following content into this file: 
    <html>
<h2>File being shared through the Apache HTTP Server and Samba.</h2>
</html>
    Copy to Clipboard Toggle word wrap
  2. Enter the following command to view the SELinux context of file1.html: 
    ~]$ ls -Z /var/www/html/file1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1.html
    Copy to Clipboard Toggle word wrap
    The file is labeled with the httpd_sys_content_t. By default, the Apache HTTP Server can access this type, but Samba cannot.
  3. Start the Apache HTTP Server: 
    ~]# systemctl start httpd.service
    Copy to Clipboard Toggle word wrap
  4. Change into a directory your user has write access to, and enter the following command. Unless there are changes to the default configuration, this command succeeds: 
    ~]$ wget http://localhost/file1.html
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84 [text/html]
Saving to: `file1.html.1'

100%[=======================>] 84          --.-K/s   in 0s      

`file1.html.1' saved [84/84]
    Copy to Clipboard Toggle word wrap
  5. Edit /etc/samba/smb.conf as root. Add the following to the bottom of this file to share the /var/www/html/ directory through Samba: 
    [website]
comment = Sharing a website
path = /var/www/html/
public = no
writable = no
    Copy to Clipboard Toggle word wrap
  6. The /var/www/html/ directory is labeled with the httpd_sys_content_t type. By default, Samba cannot access files and directories labeled with the this type, even if Linux permissions allow it. To allow Samba access, enable the samba_export_all_ro Boolean: 
    ~]# setsebool -P samba_export_all_ro on
    Copy to Clipboard Toggle word wrap
    Do not use the -P option if you do not want the change to persist across reboots. Note that enabling the samba_export_all_ro Boolean allows Samba to access any type.
  7. Start the Samba service: 
    ~]# systemctl start smb.service
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat