15.4. Configuration examples

The following examples provide real-world demonstrations of how SELinux complements the Samba server and how full function of the Samba server can be maintained.

15.4.1. Sharing directories you create

The following example creates a new directory, and shares that directory through Samba:

Confirm that the samba, samba-common, and samba-client packages are installed:

~]$ rpm -q samba samba-common samba-client
package samba is not installed
package samba-common is not installed
package samba-client is not installed

If any of these packages are not installed, install them by using the yum utility as root:

~]# yum install package-name

Use the mkdir utility as root to create a new top-level directory to share files through Samba:
```
~]# mkdir /myshare
```
Use the touch utility root to create an empty file. This file is used later to verify the Samba share mounted correctly:
```
~]# touch /myshare/file1
```
SELinux allows Samba to read and write to files labeled with the samba_share_t type, as long as the /etc/samba/smb.conf file and Linux permissions are set accordingly. Enter the following command as root to add the label change to file-context configuration:
```
~]# semanage fcontext -a -t samba_share_t "/myshare(/.*)?"
```

Use the restorecon utility as root to apply the label changes:

~]# restorecon -R -v /myshare
restorecon reset /myshare context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
restorecon reset /myshare/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0

Edit /etc/samba/smb.conf as root. Add the following to the bottom of this file to share the /myshare/ directory through Samba:
```
[myshare]
comment = My share
path = /myshare
public = yes
writable = no
```
A Samba account is required to mount a Samba file system. Enter the following command as root to create a Samba account, where username is an existing Linux user. For example, smbpasswd -a testuser creates a Samba account for the Linux testuser user:
```
~]# smbpasswd -a testuser
New SMB password: Enter a password
Retype new SMB password: Enter the same password again
Added user testuser.
```
If you enter the above command, specifying a user name of an account that does not exist on the system, it causes a Cannot locate Unix account for 'username'! error.
Start the Samba service:
```
~]# systemctl start smb.service
```

Enter the following command to list the available shares, where username is the Samba account added in step 7. When prompted for a password, enter the password assigned to the Samba account in step 7 (version numbers may differ):

~]$ smbclient -U username -L localhost
Enter username's password:
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Sharename       Type      Comment
---------       ----      -------
myshare         Disk      My share
IPC$            IPC       IPC Service (Samba Server Version 3.4.0-0.41.el6)
username        Disk      Home Directories
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Server               Comment
---------            -------

Workgroup            Master
---------            -------

Use the mkdir utility as root to create a new directory. This directory will be used to mount the myshare Samba share:
```
~]# mkdir /test/
```
Enter the following command as root to mount the myshare Samba share to /test/, replacing username with the user name from step 7:
```
~]# mount //localhost/myshare /test/ -o user=username
```
Enter the password for username, which was configured in step 7.
Enter the following command to view the file1 file created in step 3:
```
~]$ ls /test/
file1
```

15.4.2. Sharing a website

It may not be possible to label files with the samba_share_t type, for example, when wanting to share a website in the /var/www/html/ directory. For these cases, use the samba_export_all_ro Boolean to share any file or directory (regardless of the current label), allowing read only permissions, or the samba_export_all_rw Boolean to share any file or directory (regardless of the current label), allowing read and write permissions.

The following example creates a file for a website in /var/www/html/, and then shares that file through Samba, allowing read and write permissions. This example assumes the httpd, samba, samba-common, samba-client, and wget packages are installed:

As the root user, create a /var/www/html/file1.html file. Copy and paste the following content into this file:
```
<html>
<h2>File being shared through the Apache HTTP Server and Samba.</h2>
</html>
```
Enter the following command to view the SELinux context of file1.html:
```
~]$ ls -Z /var/www/html/file1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1.html
```
The file is labeled with the httpd_sys_content_t. By default, the Apache HTTP Server can access this type, but Samba cannot.
Start the Apache HTTP Server:
```
~]# systemctl start httpd.service
```

Change into a directory your user has write access to, and enter the following command. Unless there are changes to the default configuration, this command succeeds:

~]$ wget http://localhost/file1.html
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84 [text/html]
Saving to: `file1.html.1'

100%[=======================>] 84          --.-K/s   in 0s      

`file1.html.1' saved [84/84]

Edit /etc/samba/smb.conf as root. Add the following to the bottom of this file to share the /var/www/html/ directory through Samba:
```
[website]
comment = Sharing a website
path = /var/www/html/
public = no
writable = no
```
The /var/www/html/ directory is labeled with the httpd_sys_content_t type. By default, Samba cannot access files and directories labeled with the this type, even if Linux permissions allow it. To allow Samba access, enable the samba_export_all_ro Boolean:
```
~]# setsebool -P samba_export_all_ro on
```
Do not use the -P option if you do not want the change to persist across reboots. Note that enabling the samba_export_all_ro Boolean allows Samba to access any type.
Start the Samba service:
```
~]# systemctl start smb.service
```

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

15.4. Configuration examples

15.4.1. Sharing directories you create

15.4.2. Sharing a website

Where did the comment section go?