The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
Label files with the
samba_share_ttype to allow Samba to share them. Only label files you have created, and do not relabel system files with the
samba_share_ttype: Booleans can be enabled to share such files and directories. SELinux allows Samba to write to files labeled with the
samba_share_ttype, as long as the
/etc/samba/smb.conffile and Linux permissions are set accordingly.
samba_etc_ttype is used on certain files in the
/etc/samba/directory, such as
smb.conf. Do not manually label files with the
samba_etc_ttype. If files in this directory are not labeled correctly, enter the
restorecon -R -v /etc/sambacommand as the root user to restore such files to their default contexts. If
/etc/samba/smb.confis not labeled with the
samba_etc_ttype, starting the Samba service may fail and an SELinux denial message may be logged. The following is an example denial message when
/etc/samba/smb.confwas labeled with the
setroubleshoot: SELinux is preventing smbd (smbd_t) "read" to ./smb.conf (httpd_sys_content_t). For complete SELinux messages. run sealert -l deb33473-1069-482b-bb50-e4cd05ab18af