samba and apache shared directories on FC5

[Paul Howarth]

On Mon, 2006-04-24 at 09:16 +1000, Robert Foster wrote:
> Hi,
> I have a directory structure that contains multiple web sites that I
> also want shared out using samba to restricted users.  I've just
> upgraded to FC5 and worked most of the kinks out (including trying to
> get Samba's net getlocalsid to talk to ldap properly, but that's
> another story).
>  
> current configuration:
>  
> # ls -alZ /MV
> gives:
> drwsrws---  apache   apache   system_u:object_r:httpd_sys_content_t
> webs
>  
> however the samba shared directory is readonly for users browsing.
> If I set the type to samba_share_t,  apache can no longer read the
> directory.
>  
> This also has other implications.  I have a directory in another share
> (Archives/Repository) that is soft linked to a directory under a web
> site so that users can copy files into it from a windows client and
> have them available for download.
>  
> I found a post by Stephen Smalley back in June last year that talks a
> little about this issue:
> http://www.redhat.com/archives/fedora-selinux-list/2005-June/msg00264.html
> that suggested a possible fix by defining a new type allowing both
> httpd and samba to access the files - with samba having permission to
> write.
>  
> Any ideas on whether this is likely to be added to a policy for FC5 in
> the near future, and how can I fix this in the interim?  I'd rather
> not disable selinux if I can avoid it :)

This was implemented quite a long time ago.

Change the context type of the data to public_content_t (for read-only
data) or public_content_rw_t for data that one of the daemons needs to
be able to write.

Then allow whichever daemons need write access to this data by setting
the appropriate booleans:

allow_ftpd_anon_write
allow_httpd_anon_write
allow_httpd_sys_script_anon_write
allow_rsync_anon_write
allow_smbd_anon_write

So in your case you'd want:

# setsebool -P allow_smbd_anon_write 1

Paul.