3.2. Types
The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
Label files with the
samba_share_t
type to allow Samba to share them. Only label files you have created, and do not relabel system files with the samba_share_t
type: Booleans can be enabled to share such files and directories. SELinux allows Samba to write to files labeled with the samba_share_t
type, as long as /etc/samba/smb.conf
and Linux permissions are set accordingly.
The
samba_etc_t
type is used on certain files in /etc/samba/
, such as smb.conf
. Do not manually label files with the samba_etc_t
type. If files in /etc/samba/
are not labeled correctly, run the restorecon -R -v /etc/samba
command as the root user to restore such files to their default contexts. If /etc/samba/smb.conf
is not labeled with the samba_etc_t
type, the service smb start
command may fail and an SELinux denial may be logged. The following is an example denial when /etc/samba/smb.conf
was labeled with the httpd_sys_content_t
type:
setroubleshoot: SELinux is preventing smbd (smbd_t) "read" to ./smb.conf (httpd_sys_content_t). For complete SELinux messages. run sealert -l deb33473-1069-482b-bb50-e4cd05ab18af