Selinux breaks samba with no AVC's...

Tom Lisjac netdxr at gmail.com
Tue Sep 27 21:40:17 UTC 2005


On 9/27/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Tom Lisjac wrote:
>
> >I'm trying to make samba shares available on a new FC4 server...
> >When I switched to enforcing, I couldn't connect... and there were no
> >new AVC's. Switching back to permissive worked.

> Try out the booleans
>
> setsebool -P samba_enable_home_dirs=1
>
> # getsebool -a | grep samba
> samba_enable_home_dirs --> inactive
> use_samba_home_dirs --> inactive
> # getsebool -a | grep smb
> allow_smbd_anon_write --> inactive
> smbd_disable_trans --> inactive

That fixed it! Setting samba_enable_home_dirs and use_samba_home_dirs
to active restored access and allowed me to remove all but one of the
lines I added to local.te.

I've been relabelling the public_html directories as
user_u:object_r:httpd_user_content_t so Apache won't complain... but I
can't see this directory in the mounted samba shares. Audit2allow
returns the following:

allow smbd_t httpd_sys_content_t:dir getattr;

Is my labelling for public_html correct... or is there another switch
I can throw to allow samba to read and write to this directory?

-Tom




More information about the fedora-selinux-list mailing list