Samba – Allowing multiple types in the type field of a folder label in SELinux

apache-2.2file-sharingsambaselinux

I'm an Ubuntu/Debian guy but I had trouble installing Ubuntu on a softraid/fakeraid system, so I went with CentOS 5.6.

I'm also at a small web development firm where we need to share our test server's html/httpd files via samba/smb but also allow apache to host them.

So I'm wondering if I can set our files to the samba and httpd type?

Something like,

/usr/sbin/semanage fcontext -a -t samba_share_t,httpd_sys_content_t "/var/www/html(/.*)?"

Or else I'm going to have to turn SELinux into permissive mode, which is not something I want to do.

Best Answer

I just realized I completely misread your question :)

If you want to allow Samba to read /var/www/html, which is httpd_sys_content_t, you should not have a problem. I am not a Samba expert, but afaik samba runs in the smbd_t domain, so you should be fine:

 # sesearch -s smbd_t --allow | grep httpd_sys_content
 allow smbd_t httpd_sys_content_t : file { ioctl read getattr lock }; 
 allow smbd_t httpd_sys_content_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
 allow smbd_t httpd_sys_content_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
 allow smbd_t httpd_sys_content_t : dir { ioctl read getattr lock search }; 
 allow smbd_t httpd_sys_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir }; 
 allow smbd_t httpd_sys_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir };

That says that Samba is allowed to read httpd_sys_content_t directories and files. The /var/www/html tree is httpd_sys_content_t. Have you tried this already?

Related Solutions

SELinux – Allow Apache and Samba on the Same Folder

First off, you can view the context of something with ls using ls -Z

[root@servername www]# ls -dZ /var/www
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t /var/www

Second, there are two options for giving Samba and Apache access to the same directory.

The simple way is to just allow samba read/write access everywhere with:

setsebool -P samba_export_all_rw 1

It's simple, easy, and doesn't mess with any weird properties of SELinux.

If you're concerned with Samba having full access to all directories and only want to change /var/www, try:

chcon -t public_content_rw_t /var/www
setsebool -P allow_smbd_anon_write 1
setsebool -P allow_httpd_anon_write 1

This will allow both Samba and Apache write access to any directories with the public_content_rw_t context. Note that chcon is only modifying /var/www. Any new directories created under /var/www will be public_content_rw_t, but not existing directories like /var/www/html or /var/www/manual. If you want to change everything, add an -R to chcon:

chcon -R -t public_content_rw_t /var/www

You can look through this CentOS wiki page to get hints on other SELinux booleans.

Centos – Installing Apache MPM Worker on Centos 5.5

On my system I just edited the /etc/sysconfig/httpd file to enable the httpd.worker.

After restarting httpd, I ran "ps -ef | grep -i http" and got this:

[root@localhost httpd]# ps -ef | grep -i http
root     16334 17289  0 10:44 pts/1    00:00:00 grep -i http
root     30536     1  0 10:00 ?        00:00:00 /usr/sbin/httpd.worker
apache   30539 30536  0 10:00 ?        00:00:00 /usr/sbin/httpd.worker
apache   30541 30536  0 10:00 ?        00:00:02 /usr/sbin/httpd.worker
[root@localhost httpd]#

If I switch the /etc/sysconfig/httpd back to the default, the ps output is like this:

[root@localhost httpd]# ps -ef | grep -i http
root     16447     1  0 10:47 ?        00:00:00 /usr/sbin/httpd
apache   16448 16447  0 10:47 ?        00:00:00 /usr/sbin/httpd
apache   16449 16447  0 10:47 ?        00:00:00 /usr/sbin/httpd
apache   16450 16447  0 10:47 ?        00:00:00 /usr/sbin/httpd
apache   16451 16447  0 10:47 ?        00:00:00 /usr/sbin/httpd
apache   16453 16447  0 10:47 ?        00:00:00 /usr/sbin/httpd
apache   16454 16447  0 10:47 ?        00:00:00 /usr/sbin/httpd
apache   16455 16447  0 10:47 ?        00:00:00 /usr/sbin/httpd
apache   16456 16447  0 10:47 ?        00:00:00 /usr/sbin/httpd
root     16458 17289  0 10:47 pts/1    00:00:00 grep -i http
[root@localhost httpd]#

And in this case the "httpd -V" output is the same as before.

Since the number of running processes matches my configuration options for the prefork and worker modules set in the "/etc/httpd/conf/httpd.conf" I believe it's working as advertised.

I suspect the "httpd -V" is reporting the compiled in defaults. because: server binary names are different. httpd (prefork,default) != httpd.worker (non-default)

Dan

Best Answer

Related Solutions

SELinux – Allow Apache and Samba on the Same Folder

Centos – Installing Apache MPM Worker on Centos 5.5

Related Topic