I repurposed an old AMD A10 APU-based machine that was collecting dust in my basement to act as a NAS, and eventually some other light-duty tech work. It's running CentOS 8.1, the boot disk is a 340GB hard drive I had laying around, and I have a 2TB, 2-drive RAID-1 array I put together with mdadm
intended to be used mainly for the NAS. The RAID array (/dev/md0
) is mounted to /media/raid0
and inside is a directory called nas
set to mode 777. I have this line in /etc/fstab
:
/dev/md0 /media/raid0 ext4 defaults 0 0
Samba is set to share /media/raid0/nas
as a share called "fileshare". Following the SELinux recipe for Samba, I applied the samba_share_t
label recursively to /media/raid0/nas
and made it permanent with the semanage
command.
However, when I attempt to browse \\SERVER\fileshare
on a Windows machine, it says it can't connect. When I try to access it with smbclient
on the server, I get kicked out with NT_STATUS_BAD_NETWORK_NAME
. Samba's logs show repeated errors saying canonicalize_connect_path failed for service fileshare, path /media/raid0/nas
.
BUT, If I disable SELinux with setenforce 0
, the share suddenly works like flipping a switch. No errors, I connect with no problems.
To recap:
/media/raid0/nas
is the path being shared asfileshare
/media/raid0/nas
is extremely permissive (mode 777)- I have applied the
samba_share_t
label to/media/raid0/nas
and it's set to be done recursively in SELinux - I can connect to the share without issue if SELinux is disabled (
setenforce 0
).
Why is SELinux still blocking this share? I'll note that I also tried moving the mountpoint to /raid0
but got the same results.
Edit: I'm seeing entries like this in my audit logs:
time->Mon Nov 2 22:41:39 2020
type=AVC msg=audit(1604374899.147:1102): avc: denied { read } for pid=8091
comm="smbd" name="/" dev="md0" ino=2 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1