SELinux – Allow Apache and Samba on the Same Folder

apache-2.2centossambaselinux

In the configuration I have setup I wish to allow samba and apache to access /var/www
I am able to set a context to allow samba access, but then httpd doesn't have access.
Using setenforce to 0 eliminates issues so I know that it is SELinux.

In addition:
How can I view the context of a folder, and can a folder have multiple contexts?

(CentOS)

Best Answer

First off, you can view the context of something with ls using ls -Z

[root@servername www]# ls -dZ /var/www
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t /var/www

Second, there are two options for giving Samba and Apache access to the same directory.

The simple way is to just allow samba read/write access everywhere with:

setsebool -P samba_export_all_rw 1

It's simple, easy, and doesn't mess with any weird properties of SELinux.

If you're concerned with Samba having full access to all directories and only want to change /var/www, try:

chcon -t public_content_rw_t /var/www
setsebool -P allow_smbd_anon_write 1
setsebool -P allow_httpd_anon_write 1

This will allow both Samba and Apache write access to any directories with the public_content_rw_t context. Note that chcon is only modifying /var/www. Any new directories created under /var/www will be public_content_rw_t, but not existing directories like /var/www/html or /var/www/manual. If you want to change everything, add an -R to chcon:

chcon -R -t public_content_rw_t /var/www

You can look through this CentOS wiki page to get hints on other SELinux booleans.

Related Solutions

Centos – How to write to Samba folder

For a folder in Samba to be writable ALL the following have to be true:

Share must be configured in Samba to be writeable
User must exist in Samba password database (did you copy your UNIX users to Samba users using mksmbpasswd?)
User must appear in list of allowed users
The specific subnet that the user is accessing from must appear in the list of allowed networks (i.e. if the user's IP is 192.168.2.8/24, the allowed network must be 192.168.2)
The backing directory of the share must have appropriate permissions (i.e. be owned by the UNIX user:group that the Samba user maps to and/or the chmod must be high enough)

Samba – Allowing multiple types in the type field of a folder label in SELinux

I just realized I completely misread your question :)

If you want to allow Samba to read /var/www/html, which is httpd_sys_content_t, you should not have a problem. I am not a Samba expert, but afaik samba runs in the smbd_t domain, so you should be fine:

 # sesearch -s smbd_t --allow | grep httpd_sys_content
 allow smbd_t httpd_sys_content_t : file { ioctl read getattr lock }; 
 allow smbd_t httpd_sys_content_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
 allow smbd_t httpd_sys_content_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
 allow smbd_t httpd_sys_content_t : dir { ioctl read getattr lock search }; 
 allow smbd_t httpd_sys_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir }; 
 allow smbd_t httpd_sys_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir };

That says that Samba is allowed to read httpd_sys_content_t directories and files. The /var/www/html tree is httpd_sys_content_t. Have you tried this already?

Best Answer

Related Solutions

Centos – How to write to Samba folder

Samba – Allowing multiple types in the type field of a folder label in SELinux

Related Topic