Red Hat Summit2.4.3. Sharing files between services
Type Enforcement helps prevent processes from accessing files intended for use by another process. For example, by default, Samba cannot read files labeled with the
httpd_sys_content_t type, which are intended for use by the Apache HTTP Server. Files can be shared between the Apache HTTP Server, FTP, rsync, and Samba, if the desired files are labeled with the public_content_t or public_content_rw_t type.
The following example creates a directory and files, and allows that directory and files to be shared (read only) through the Apache HTTP Server, FTP, rsync, and Samba:
- Run the
mkdir /sharescommand as the root user to create a new top-level directory to share files between multiple services. - Files and directories that do not match a pattern in file-context configuration may be labeled with the
default_ttype. This type is inaccessible to confined services:ls -dZ /shares
~]$ ls -dZ /shares drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /sharesCopy to Clipboard Copied! Toggle word wrap Toggle overflow - As the root user, create a
/shares/index.htmlfile. Copy and paste the following content into/shares/index.html:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Labeling
/shares/with thepublic_content_ttype allows read-only access by the Apache HTTP Server, FTP, rsync, and Samba. Run the following command as the root user to add the label change to file-context configuration:semanage fcontext -a -t public_content_t "/shares(/.*)?"
~]# semanage fcontext -a -t public_content_t "/shares(/.*)?"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
restorecon -R -v /shares/command as the root user to apply the label changes:restorecon -R -v /shares/
~]# restorecon -R -v /shares/ restorecon reset /shares context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0 restorecon reset /shares/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow
To share
/shares/ through Samba:
- Run the
rpm -q samba samba-common samba-clientcommand to confirm the samba, samba-common, and samba-client packages are installed (version numbers may differ):rpm -q samba samba-common samba-client
~]$ rpm -q samba samba-common samba-client samba-3.4.0-0.41.el6.3.i686 samba-common-3.4.0-0.41.el6.3.i686 samba-client-3.4.0-0.41.el6.3.i686Copy to Clipboard Copied! Toggle word wrap Toggle overflow If any of these packages are not installed, install them by running theyum install package-namecommand as the root user. - Edit
/etc/samba/smb.confas the root user. Add the following entry to the bottom of this file to share the/shares/directory through Samba:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - A Samba account is required to mount a Samba file system. Run the
smbpasswd -a usernamecommand as the root user to create a Samba account, where username is an existing Linux user. For example,smbpasswd -a testusercreates a Samba account for the Linuxtestuseruser:smbpasswd -a testuser
~]# smbpasswd -a testuser New SMB password: Enter a password Retype new SMB password: Enter the same password again Added user testuser.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Runningsmbpasswd -a username, where username is the user name of a Linux account that does not exist on the system, causes aCannot locate Unix account for 'username'!error. - Run the
service smb startcommand as the root user to start the Samba service:service smb start
~]# service smb start Starting SMB services: [ OK ]Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
smbclient -U username -L localhostcommand to list the available shares, where username is the Samba account added in step 3. When prompted for a password, enter the password assigned to the Samba account in step 3 (version numbers may differ):Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
mkdir /test/command as the root user to create a new directory. This directory will be used to mount thesharesSamba share. - Run the following command as the root user to mount the
sharesSamba share to/test/, replacing username with the user name from step 3:mount //localhost/shares /test/ -o user=username
~]# mount //localhost/shares /test/ -o user=usernameCopy to Clipboard Copied! Toggle word wrap Toggle overflow Enter the password for username, which was configured in step 3. - Run the
cat /test/index.htmlcommand to view the file, which is being shared through Samba:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
To share
/shares/ through the Apache HTTP Server:
- Run the
rpm -q httpdcommand to confirm the httpd package is installed (version number may differ):rpm -q httpd
~]$ rpm -q httpd httpd-2.2.11-6.i386Copy to Clipboard Copied! Toggle word wrap Toggle overflow If this package is not installed, run theyum install httpdcommand as the root user to install it. - Change into the
/var/www/html/directory. Run the following command as the root user to create a link (namedshares) to the/shares/directory:ln -s /shares/ shares
~]# ln -s /shares/ sharesCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
service httpd startcommand as the root user to start the Apache HTTP Server:service httpd start
~]# service httpd start Starting httpd: [ OK ]Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Use a web browser to navigate to
http://localhost/shares. The/shares/index.htmlfile is displayed.
By default, the Apache HTTP Server reads an
index.html file if it exists. If /shares/ did not have index.html, and instead had file1, file2, and file3, a directory listing would occur when accessing http://localhost/shares:
- Run the
rm -i /shares/index.htmlcommand as the root user to remove theindex.htmlfile. - Run the
touch /shares/file{1,2,3}command as the root user to create three files in/shares/:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
service httpd statuscommand as the root user to see the status of the Apache HTTP Server. If the server is stopped, runservice httpd startas the root user to start it. - Use a web browser to navigate to
http://localhost/shares. A directory listing is displayed:
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}