Selinux breaks samba with no AVC's...
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 28 15:10:25 UTC 2005
Tom Lisjac wrote:
>On 9/27/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>
>>Tom Lisjac wrote:
>>
>>
>>
>>>I'm trying to make samba shares available on a new FC4 server...
>>>When I switched to enforcing, I couldn't connect... and there were no
>>>new AVC's. Switching back to permissive worked.
>>>
>>>
>
>
>
>>Try out the booleans
>>
>>setsebool -P samba_enable_home_dirs=1
>>
>># getsebool -a | grep samba
>>samba_enable_home_dirs --> inactive
>>use_samba_home_dirs --> inactive
>># getsebool -a | grep smb
>>allow_smbd_anon_write --> inactive
>>smbd_disable_trans --> inactive
>>
>>
>
>That fixed it! Setting samba_enable_home_dirs and use_samba_home_dirs
>to active restored access and allowed me to remove all but one of the
>lines I added to local.te.
>
>I've been relabelling the public_html directories as
>user_u:object_r:httpd_user_content_t so Apache won't complain... but I
>can't see this directory in the mounted samba shares. Audit2allow
>returns the following:
>
>allow smbd_t httpd_sys_content_t:dir getattr;
>
>Is my labelling for public_html correct... or is there another switch
>I can throw to allow samba to read and write to this directory?
>
>-Tom
>
>
>
Try chcon -t public_content_rw_t public_html.
(or ftpd_anon_rw_t if public_content_rw_t does not exist)
Then setsebool -P allow_smbd_anon_write=1
That should allow http to read and samba to write.
(Also
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
More information about the fedora-selinux-list
mailing list