14.4. Configuration examples

The following examples provide real-world demonstrations of how SELinux complements the Samba server and how full function of the Samba server can be maintained.

14.4.1. Sharing directories you create

The following example creates a new directory, and shares that directory through Samba:
  1. Confirm that the samba, samba-common, and samba-client packages are installed:
    ~]$ rpm -q samba samba-common samba-client
    package samba is not installed
    package samba-common is not installed
    package samba-client is not installed
    
    If any of these packages are not installed, install them by using the yum utility as root:
    ~]# yum install package-name
  2. Use the mkdir utility as root to create a new top-level directory to share files through Samba:
    ~]# mkdir /myshare
  3. Use the touch utility root to create an empty file. This file is used later to verify the Samba share mounted correctly:
    ~]# touch /myshare/file1
  4. SELinux allows Samba to read and write to files labeled with the samba_share_t type, as long as the /etc/samba/smb.conf file and Linux permissions are set accordingly. Run the following command as root to add the label change to file-context configuration:
    ~]# semanage fcontext -a -t samba_share_t "/myshare(/.*)?"
  5. Use the restorecon utility as root to apply the label changes:
    ~]# restorecon -R -v /myshare
    restorecon reset /myshare context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
    restorecon reset /myshare/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
    
  6. Edit /etc/samba/smb.conf as root. Add the following to the bottom of this file to share the /myshare/ directory through Samba:
    [myshare]
    comment = My share
    path = /myshare
    public = yes
    writable = no
    
  7. A Samba account is required to mount a Samba file system. Run the following command as root to create a Samba account, where username is an existing Linux user. For example, smbpasswd -a testuser creates a Samba account for the Linux testuser user:
    ~]# smbpasswd -a testuser
    New SMB password: Enter a password
    Retype new SMB password: Enter the same password again
    Added user testuser.
    
    If you enter the above command, specifying a user name of an account that does not exist on the system, it causes a Cannot locate Unix account for 'username'! error.
  8. Start the Samba service:
    ~]# systemctl start smb.service
  9. Run the following command to list the available shares, where username is the Samba account added in step 7. When prompted for a password, enter the password assigned to the Samba account in step 7 (version numbers may differ):
    ~]$ smbclient -U username -L localhost
    Enter username's password:
    Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]
    
    Sharename       Type      Comment
    ---------       ----      -------
    myshare         Disk      My share
    IPC$            IPC       IPC Service (Samba Server Version 3.4.0-0.41.el6)
    username        Disk      Home Directories
    Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]
    
    Server               Comment
    ---------            -------
    
    Workgroup            Master
    ---------            -------
    
  10. Use the mkdir utility as root to create a new directory. This directory will be used to mount the myshare Samba share:
    ~]# mkdir /test/
  11. Run the following command as root to mount the myshare Samba share to /test/, replacing username with the user name from step 7:
    ~]# mount //localhost/myshare /test/ -o user=username
    Enter the password for username, which was configured in step 7.
  12. Run the following command to view the file1 file created in step 3:
    ~]$ ls /test/
    file1
    

14.4.2. Sharing a website

It may not be possible to label files with the samba_share_t type, for example, when wanting to share a website in the /var/www/html/ directory. For these cases, use the samba_export_all_ro Boolean to share any file or directory (regardless of the current label), allowing read only permissions, or the samba_export_all_rw Boolean to share any file or directory (regardless of the current label), allowing read and write permissions.
The following example creates a file for a website in /var/www/html/, and then shares that file through Samba, allowing read and write permissions. This example assumes the httpd, samba, samba-common, samba-client, and wget packages are installed:
  1. As the root user, create a /var/www/html/file1.html file. Copy and paste the following content into this file:
    <html>
    <h2>File being shared through the Apache HTTP Server and Samba.</h2>
    </html>
    
  2. Run the following command to view the SELinux context of file1.html:
    ~]$ ls -Z /var/www/html/file1.html
    -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1.html
    
    The file is labeled with the httpd_sys_content_t. By default, the Apache HTTP Server can access this type, but Samba cannot.
  3. Start the Apache HTTP Server:
    ~]# systemctl start httpd.service
  4. Change into a directory your user has write access to, and enter the following command. Unless there are changes to the default configuration, this command succeeds:
    ~]$ wget http://localhost/file1.html
    Resolving localhost... 127.0.0.1
    Connecting to localhost|127.0.0.1|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 84 [text/html]
    Saving to: `file1.html.1'
    
    100%[=======================>] 84          --.-K/s   in 0s      
    
    `file1.html.1' saved [84/84]
    
  5. Edit /etc/samba/smb.conf as root. Add the following to the bottom of this file to share the /var/www/html/ directory through Samba:
    [website]
    comment = Sharing a website
    path = /var/www/html/
    public = no
    writable = no
    
  6. The /var/www/html/ directory is labeled with the httpd_sys_content_t type. By default, Samba cannot access files and directories labeled with the this type, even if Linux permissions allow it. To allow Samba access, enable the samba_export_all_ro Boolean:
    ~]# setsebool -P samba_export_all_ro on
    Do not use the -P option if you do not want the change to persist across reboots. Note that enabling the samba_export_all_ro Boolean allows Samba to access any type.
  7. Start the Samba service:
    ~]# systemctl start smb.service