Samba file server

Karsten Wade kwade at redhat.com
Fri Jan 7 19:31:10 UTC 2005 

	On Fri, 2005-01-07 at 08:09 -0700, Ivan Gyurdiev wrote:
> Hi,
> 
> I have a fairly trivial setup ( I think ) that I'd like to get working
> under SElinux. 
> 
> I have a bunch of data on /data, which is its own LVM logical volume.
> I have symlinks to the parts of the data in /data/smb that I'd like to
> export via smb. 
> 
> My server also exports user home directories and all printers.
> 
> The problem is: 
> 	Stuff on /data is labeled: system_u:object_r:default_t 
> 	Stuff on /home is labeled: system_u:object_r:user_home_dir_t
> 		under system_u:object_r:home_root_t 
> 
> I get:
> 
> audit(1105106751.784:0): avc:  denied  { search } for  pid=32352
> exe=/usr/sbin/smbd name=/ dev=dm-1 ino=2 scontext=user_u:system_r:smbd_t
> tcontext=system_u:object_r:default_t tclass=dir
> 
> audit(1105107520.694:0): avc:  denied  { search } for  pid=32629
> exe=/usr/sbin/smbd name=/ dev=dm-2 ino=2 scontext=user_u:system_r:smbd_t
> tcontext=system_u:object_r:home_root_t tclass=dir

You have /root on this share?  Interesting.  I'm not sure you can do
what I describe below in /root.

> - How can I address this situation?

Try relabeling the portions of /data that you want to have
user_home_dir_t and user_home_t:

chcon -t user_home_dir_t /data/smb
cd /data/smb
chcon -R -r user_home_t ./*

> - What if I wanted to share /data over httpd as well?

Off the top of my head, I don't think you can both share /data over
httpd and have it be normal user home directory data.  The types are
distinctly separate.  The normal procedure is to have an e.g.
public_html/ folder, which would have a different type.

There is a Boolean value for httpd that will allow httpd to access user
directories, for the purpose of serving content that is labeled
appropriately.  You can set this using system-config-securitylevel,
SELinux tab > Modify SELinux Policy  > Allow HTTPD to read home
directories.  You then need to relabel the content you want served:

chcon -t httpd_sys_content_t /path/to/public_html/

The folder gains the new type, and all children created inside of that
gain the type.

This guide has more information on customizing Apache and SELinux:

http://fedora.redhat.com/docs/selinux-apache-fc3/sn-user-homedir.html
-- 
Karsten Wade, RHCE, Sr. Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41

More information about the fedora-selinux-list mailing list