samba_selinux(8) Samba Selinux Policy documentation samba_selinux(8)
samba_selinux - Security Enhanced Linux Policy for Samba
Security-Enhanced Linux secures the Samba server via flexible mandatory
SELinux requires files to have an extended attribute to define the file
type. Policy governs the access daemons have to these files. If you
want to share files other than home directories, those files must be
labeled samba_share_t. So if you created a special directory /var/eng,
you would need to label the directory with the chcon tool.
chcon -t samba_share_t /var/eng
If you want to make this permanant, i.e. survive a relabel, you must
add an entry to the file_contexts.local file.
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and public_con-
tent_rw_t. These context allow any of the above domains to read the
content. If you want a particular domain to write to the public_con-
tent_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write. So for samba you would execute:
setsebool -P allow_smbd_anon_write=1
SELinux policy is customizable based on least access required. So by
default SElinux policy turns off SELinux sharing of home directories
and the use of Samba shares from a remote machine as a home directory.
If you are setting up this machine as a Samba server and wish to share
the home directories, you need to set the samba_enable_home_dirs
setsebool -P samba_enable_home_dirs 1
If you want to use a remote Samba server for the home directories on
this machine, you must set the use_samba_home_dirs boolean.
setsebool -P use_samba_home_dirs 1
You can disable SELinux protection for the samba daemon by executing:
setsebool -P smbd_disable_trans 1
service smb restart
system-config-securitylevel is a GUI tool available to customize
SELinux policy settings.
This manual page was written by Dan Walsh <email@example.com>.
selinux(8), samba(7), chcon(1), setsebool(8)
firstname.lastname@example.org 17 Jan 2005 samba_selinux(8)