Selinux breaks samba with no AVC's...

[Tom Lisjac]

On 9/28/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Tom Lisjac wrote:
> >On 9/27/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
> >>Tom Lisjac wrote:
> >>>I'm trying to make samba shares available on a new FC4 server...
> >>>When I switched to enforcing, I couldn't connect... and there were no
> >>>new AVC's. Switching back to permissive worked.

> >I've been relabelling the public_html directories as
> >user_u:object_r:httpd_user_content_t so Apache won't complain... but I
> >can't see this directory in the mounted samba shares. Audit2allow
> >returns the following:
> >
> >allow smbd_t httpd_sys_content_t:dir getattr;
> >
> >Is my labelling for public_html correct... or is there another switch
> >I can throw to allow samba to read and write to this directory?
> >
> Try chcon -t public_content_rw_t public_html.
> (or ftpd_anon_rw_t if  public_content_rw_t does not exist)
>
> Then setsebool -P allow_smbd_anon_write=1
>
> That should allow http to read and samba to write.

That fixed Samba so I could see public_html from the shares... but
Apache complained when trying to serve content:

allow httpd_t ftpd_anon_rw_t:dir getattr;

I got everything working for both Samba and Apache by turning on the
samba_enable_home_dirs boolean, per your suggestion, and adding the
following to local.te:

allow smbd_t httpd_sys_content_t:dir { add_name create getattr read
remove_name rename rmdir search write };
allow smbd_t httpd_sys_content_t:file { create getattr lock read
setattr unlink write };

I was hoping to make it work without the policy sources, but I can
live with this. Incidentally, audit2allow didn't add the curly braces
to the first line. Compilation failed until I put them in.

Thanks for your help... much appreciated!

-Tom