The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
Label files with the
samba_share_ttype to allow Samba to share them. Only label files you have created, and do not relabel system files with the
samba_share_ttype: Booleans can be enabled to share such files and directories. SELinux allows Samba to write to files labeled with the
samba_share_ttype, as long as
/etc/samba/smb.confand Linux permissions are set accordingly.
samba_etc_ttype is used on certain files in
/etc/samba/, such as
smb.conf. Do not manually label files with the
samba_etc_ttype. If files in
/etc/samba/are not labeled correctly, run the
restorecon -R -v /etc/sambacommand as the root user to restore such files to their default contexts. If
/etc/samba/smb.confis not labeled with the
service smb startcommand may fail and an SELinux denial may be logged. The following is an example denial when
/etc/samba/smb.confwas labeled with the
setroubleshoot: SELinux is preventing smbd (smbd_t) "read" to ./smb.conf (httpd_sys_content_t). For complete SELinux messages. run sealert -l deb33473-1069-482b-bb50-e4cd05ab18af