[SOLVED] samba guest share and selinux

Support for security such as Firewalls and securing linux
Post Reply
cac2s
Posts: 7
Joined: 2011/10/11 13:50:06

[SOLVED] samba guest share and selinux

Post by cac2s » 2011/10/11 13:55:35

smb.conf
[code][global]
workgroup = WorkGroup
server string =
netbios name = netfolders
log file = /var/log/samba/log.%m
max log size = 50
security = user
map to guest = Bad Password
guest account = nobody
passdb backend = tdbsam
local master = no
os level = 0
preferred master = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
show add printer wizard = no
[inout]
path = /mnt/netfolders/inout
writable = yes
guest only = yes
guest ok = yes
create mask = 0600
directory mask = 0700[/code]
[code]# chcon -v -t samba_share_t /mnt/netfolders/inout
# semanage fcontext -a -t samba_share_t '/mnt/netfolders/inout(/.*)?'
# ls -ldZ /mnt/netfolders/inout
drwxr-xr-x. nobody nobody unconfined_u:object_r:samba_share_t:s0 /mnt/netfolders/inout[/code]
[code]ls -la /mnt/netfolders/
drwx------. 3 nobody nobody 4096 Окт 11 15:25 inout
[/code]
but I can't login to inout with enabled selinux :(

User avatar
toracat
Forum Moderator
Posts: 7453
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

[SOLVED] samba guest share and selinux

Post by toracat » 2011/10/11 15:23:05

Perhaps, the restorecon command is needed (after semanage) ?

I found [url=http://danwalsh.livejournal.com/14195.html]the article by Dan Walsh[/url], THE selinux guy, very helpful.

cac2s
Posts: 7
Joined: 2011/10/11 13:50:06

Re: samba guest share and selinux

Post by cac2s » 2011/10/11 15:40:07

[b]solved[/b]

before mount partition:
[code]# ls -ldZ /mnt/netfolders/
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 /mnt/netfolders/[/code]
after mount partition:
[code]# mount /dev/vg_data/lv_netfolders /mnt/netfolders
# ls -ldZ /mnt/netfolders/
drwxr-xr-x. root root system_u:object_r:[b]file_t[/b]:s0 /mnt/netfolders/[/code]

so next command solves problem (even without 'semanage fcontext ...; restorecon ...'):
[code]# chcon -R -t samba_share_t /mnt/netfolders[/code]

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: [SOLVED] samba guest share and selinux

Post by pschaff » 2011/10/12 20:02:43

Thanks for reporting back. Marking this thread [SOLVED] for posterity.

User avatar
toracat
Forum Moderator
Posts: 7453
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: [SOLVED] samba guest share and selinux

Post by toracat » 2011/10/12 23:13:57

[quote]
cac2s wrote:

so next command solves problem (even without 'semanage fcontext ...; restorecon ...'):
[code]# chcon -R -t samba_share_t /mnt/netfolders[/code][/quote]
Please note that there is an important difference between the [i]chcon[/i] command and the [i]semanage fcontext ...; restorecon[/i] method as written in Dan Walsh's blog referenced previously:

[quote]
# chcon -R -t samba_share_t /var/eng

This label will not survive a relabel. A better solution to make the change permanent, you must tell the SELinux system about the label customization. The semanage command can customize the default file contexts on your machine. restorecon will read the file_context and apply it to the files and directories..

# semanage fcontext -a -t samba_share_t ’/var/eng(/.*)?’
# restorecon -R -v /var/eng
[/quote]

Post Reply

Return to “CentOS 6 - Security Support”