SELinux blocking Samba share mounting?

Steven Stromer filter at stevenstromer.com
Thu Feb 12 22:06:51 UTC 2009 

On Feb 12, 2009, at 4:43 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Paul Howarth wrote:
>> On Thu, 12 Feb 2009 14:20:34 -0500
>> Steven Stromer <filter at stevenstromer.com> wrote:
>>
>>> Hopefully posting to the right list!
>>>
>>> I'm starting to migrate a few Fedora boxes over to the latest  
>>> version
>>> of CentOS 5 running the latest version of samba:
>>>
>>> [~]# smbstatus
>>> Samba version 3.0.28-1.el5_2.1
>>>
>>>
>>> However, I am having a hard time getting SELinux to permit the
>>> mounting of shares on the first CentOS box. Disabling SELinux  
>>> permits
>>> the shares to mount without problem:
>>>
>>> [~]# setenforce 1
>>> [~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
>>> username=****,password=****,rw retrying with upper case share name
>>> mount error 6 = No such device or address
>>> [~]# setenforce 0
>>> [~]# mount -t cifs //192.168.10.3/PHFiles /mnt/samba -o
>>> username=****,password=****,rw [~]# ls -la /mnt/samba/
>>> total 8
>>> d---rws---+ 6 samba       samba          0 Feb 10 11:17 .
>>> drwxr-xr-x  3 root        root        4096 Feb 12 11:13 ..
>>> d---rws---+ 2 technology  technology     0 Feb 10 11:14 Computing
>>> d---rws---+ 2 development development    0 Feb 10 11:17 Development
>>> d---rws---+ 2 root        public         0 Feb 10 11:16 Marketing &
>>> Design d---rws---+ 2 root        public         0 Feb 10 11:14  
>>> Public
>>> Computing [~]# umount /mnt/samba/
>>> [~]# setenforce 1
>>>
>>>
>>> Installed policy version is:
>>> selinux-policy.noarch              2.4.6-137.1.el5
>>> selinux-policy-targeted.noarch     2.4.6-137.1.el5
>>>
>>>
>>> The two shared directories are:
>>>
>>> [~]# ls -laZ /home/server1/PHFiles/
>>> d---rws---+ samba       samba        
>>> system_u:object_r:samba_share_t  .
>>> drwxr-xr-x  root        root        root:object_r:user_home_dir_t
>>>   .. d---rws---+ technology  technology  root:object_r:samba_share_t
>>>     Computing d---rws---+ development development
>>> root:object_r:samba_share_t      Development d---rws---+ root
>>>       public      root:object_r:samba_share_t      Marketing &
>>> Design d---rws---+ root        public
>>>     root:object_r:samba_share_t      Public Computing
>>>
>>> and
>>>
>>> [~]# ls -laZ /var/www/html
>>> d---rwsr-x+ development development
>>> system_u:object_r:public_content_rw_t . drwxr-xr-x  root        root
>>>       system_u:object_r:httpd_sys_content_t .. ----rwxr-x+
>>> development development root:object_r:public_content_rw_t .DS_Store
>>> d---rwsr-x+ development development  
>>> root:object_r:public_content_rw_t
>>> private d---rwsr-x+ development development
>>> root:object_r:public_content_rw_t public
>>>
>>> (I am aware that my permissions seem a bit untraditional. I am
>>> running an experiment with extended ACL configuration on samba
>>> shares. However, I do not believe this to have any bearing on my
>>> present problems, as I have numerous other production servers  
>>> running
>>> with these permissions under SELinux, and, again, turning SELinux  
>>> off
>>> resolves my problems instantly.)
>>>
>>>
>>> The following has been executed with no apparent effect:
>>> setsebool -P allow_smbd_anon_write=1
>>>
>>>
>>> The following have been executed with no apparent effect (so these
>>> have been turned back off): setsebool -P smbd_disable_trans=1
>>> setsebool -P nmbd_disable_trans=1
>>>
>>>
>>> I've added the new contexts to file_contexts, and executed
>>> 'restorecon -R' to the two shared
>>> directories: /home/server1/PHFiles(/.*)? --
>>> system_u:object_r:samba_share_t /var/www/html(/.*)? --
>>> system_u:object_r:public_content_rw_t
>>>
>>>
>>> setroubleshoot-server is installed, but no AVC denials are reported
>>> to /var/log/messages. Instead, when SELinux is enforcing, I get the
>>> error: smbd[11852]:   '/home/server1/PHFiles' does not exist or
>>> permission denied when connecting to [PHFiles] Error was Permission
>>> denied
>>>
>>>
>>> And, finally, I've rebooted. All to no avail. Any assistance would  
>>> be
>>> much appreciated!
>>
>> If the audit daemon is running, the AVC denials will be
>> in /var/log/audit/audit.log rather than /var/log/messages.
>>
>> fedora-selinux-list would probably be more appropriate for this by  
>> the
>> way.
>>
>> Paul.
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing  
>> list.
>> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov 
>>  with
>> the words "unsubscribe selinux" without quotes as the message.
>
> setsebool -P use_samba_home_dirs 1
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkmUl/YACgkQrlYvE4MpobMOOgCeMPI1VZu86N93qfBY5bxfhk71
> o/4AnjypHIr5wCY3L6S6INi/w8LHSXuK
> =PIJ/
> -----END PGP SIGNATURE-----
>

Daniel, thanks for the reply. No success. I omitted mentioning that I  
had tried this, as well. However, I just confirmed again that this is  
not the fix. I'm not even sure why home directories would need to be  
permitted, as I am not using them. I even have [homes] commented out  
in smb.conf, which I'll include for reference:


# Samba config file
[global]
# WINS
	wins support = yes
	local master = yes
	os level = 99
	domain master = yes
	preferred master = yes
	workgroup = 478FIRST
# NETBIOS/DNS
	netbios name = server1
	name resolve order = wins lmhosts hosts bcast
	dns proxy = yes
# SMB/CIFS
	smb ports = 139
	server string = server1
# AUTHENTICATION
	interfaces = eth0
	security = user
	passdb backend = tdbsam
	encrypt passwords = yes
# LOGGING
	log file = /var/log/samba/%m.log
	max log size = 50
# CUPS
	load printers = yes
	cups options = raw

#[homes]
#	comment = Home Directories
#	read only = No
#	browseable = No

# [printers]
# 	comment = All Printers
# 	path = /usr/spool/samba
# 	printable = Yes
# 	browseable = No

[PHFiles]
	path = /home/server1/PHFiles
	writable = yes
	browseable = yes
	available = yes
	create mask = 0660
	force create mode = 0660
	directory mask = 0770
	force directory mode = 0770
	inherit acls = yes
	inherit owner = yes
	hosts allow = 127. 192.168.5.
	map archive = no
	map readonly = no
	map acl inherit = yes

[html]
	path = /var/www/html
	writable = yes
	browseable = yes
	available = yes
	create mask = 0660
	force create mode = 0660
	directory mask = 0770
	force directory mode = 0770
	inherit acls = yes
	inherit owner = yes
	hosts allow = 127. 192.168.5.
	map archive = no
	map readonly = no
	map acl inherit = yes

More information about the fedora-selinux-list mailing list