29

In the configuration I have setup I wish to allow samba and apache to access /var/www I am able to set a context to allow samba access, but then httpd doesn't have access. Using setenforce to 0 eliminates issues so I know that it is SELinux.

In addition: How can I view the context of a folder, and can a folder have multiple contexts?

(CentOS)

slm
  • 7,355
  • 16
  • 54
  • 72
Joshua Enfield
  • 3,404
  • 8
  • 41
  • 58

3 Answers3

43

First off, you can view the context of something with ls using ls -Z

[root@servername www]# ls -dZ /var/www
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t /var/www

Second, there are two options for giving Samba and Apache access to the same directory.

The simple way is to just allow samba read/write access everywhere with:

setsebool -P samba_export_all_rw 1

It's simple, easy, and doesn't mess with any weird properties of SELinux.

If you're concerned with Samba having full access to all directories and only want to change /var/www, try:

chcon -t public_content_rw_t /var/www
setsebool -P allow_smbd_anon_write 1
setsebool -P allow_httpd_anon_write 1

This will allow both Samba and Apache write access to any directories with the public_content_rw_t context. Note that chcon is only modifying /var/www. Any new directories created under /var/www will be public_content_rw_t, but not existing directories like /var/www/html or /var/www/manual. If you want to change everything, add an -R to chcon:

chcon -R -t public_content_rw_t /var/www

You can look through this CentOS wiki page to get hints on other SELinux booleans.

David
  • 3,337
  • 25
  • 20
  • I tried this and it complains that a context is already defined. – Joshua Enfield Apr 12 '10 at 20:28
  • You're right, it looks like things have changed since I last messed with SELinux. I'll update my answer with some other options. – David Apr 13 '10 at 00:03
  • 3
    @Dave you saved my butt. See you at work tomorrow. – Joel E Salas Jul 25 '13 at 02:30
  • I wanted to mention that if your webroot is nested in a samba share, you'll need to set the context on the parent directories as well. For example: `chcon -t public_content_rw_t /mnt/share/webroot(/.*)?` `chcon -t public_content_rw_t /mnt/share` – Greg Sheremeta Apr 08 '14 at 15:59
  • 1
    Thank you, I was struggling with something similar but with ftp, and everything works after doing `setsebool -P ftpd_full_access=1` – giorgiline Aug 26 '14 at 15:02
10
SHARING FILES
   If you want to share files with multiple domains (Apache,  FTP,  rsync,
   Samba),  you can set a file context of public_content_t and public_content_rw_t.
   These context allow any of the above domains  to  read  the
   content.   If  you want a particular domain to write to the public_con‐
   tent_rw_t   domain,   you   must   set   the    appropriate    boolean.
   allow_DOMAIN_anon_write.  So for samba you would execute:

       setsebool -P allow_smbd_anon_write=1

For example:

semanage fcontext -a -t public_content_rw_t '/var/www(/.*)?'
restorecon -R /var/www
setsebool -P allow_smbd_anon_write 1
hm2k
  • 211
  • 2
  • 3
0

For Red Hat Linux:

Source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-the_apache_http_server-configuration_examples

13.4.2. Sharing NFS and CIFS volumes By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the nfs_t type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the cifs_t type. Depending on policy configuration, services may not be able to read files labeled with the nfs_t or cifs_t types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be enabled or disabled to control which services are allowed to access the nfs_t and cifs_t types. Enable the httpd_use_nfs Boolean to allow httpd to access and share NFS volumes (labeled with the nfs_t type):

~]# setsebool -P httpd_use_nfs on

Enable the httpd_use_cifs Boolean to allow httpd to access and share CIFS volumes (labeled with the cifs_t type):

~]# setsebool -P httpd_use_cifs on

Note

Do not use the -P option if you do not want setsebool changes to persist across reboots.

.................... NOTE: To view the current seLinux context settings for a directory (in the below example /shares/ directory):

ls -dZ /shares/

You can exclude the -d to view the context of the files and folders under the directory:

ls -Z /shares/

.........................

Labeling /shares/ with the public_content_t type allows read-only access by the Apache HTTP Server, FTP, rsync, and Samba. Enter the following command as root to add the label change to file-context configuration:

~]# semanage fcontext -a -t public_content_t "/shares(/.*)?"

Use the restorecon utility as root to apply the label changes:

~]# restorecon -R -v /shares/

NOTE: For me, I wasn't sure what the restorecon command was for and hadn't run it initially and was wondering why the semanage command changes didn't get applied after I ran it. The reference article states that the restorecon command applies the context changes from the semanage command.

After applying the changes, you can view the context settings by running:

ls -dZ /shares/
WWC
  • 101
  • 2