Conflicting contexts for httpd and Samba
Paul Howarth
paul at city-fan.org
Fri Aug 7 10:36:47 UTC 2009
On 07/08/09 11:24, Trevor Hemsley wrote:
> I have a machine where I am trying to turn on selinux in enforcing mode
> - currently running in permissive mode while I sort out what's likely to
> stop working. On this machine I have both Samba and Apache. The Samba
> server has shares on a disk partition that's mounted on /share and I was
> getting AVCs for this so I used semanage and restorecon to mark all
> directories on there as context samba_share_t. Works great except that
> one directory on that share is also used by Apache and then I started
> getting AVCs for that dir whenever someone tried to access its content
> over http. Having done some reading I then tried to mark that directory
> as context public_content_t and that gets rid of the AVCs for http but I
> get them back for the Samba server instead :(
>
> The directory in question that resides on the /share partition is used
> by the Sophos Anti-Virus Enterprise Console to keep copies of all its
> install materials and locally cached copies of all the AV definition
> files. We have a Windows XP machine that runs the Enterprise Console and
> this updates the AV definitions on the Samba share about every 5 minutes
> - so Samba needs to have update access to the directory in question.
>
> For users outside the main office we also make the Sophos AV definitions
> available over https so Apache needs to be able to read the same
> directory that Samba can write to. Both Samba and Apache processes are
> running on the same machine and are accessing /share as a local file
> system. I can see booleans that let Apache access Samba shares as
> network drives but not as local file systems.
>
> These are the sort of AVCs I am currently getting and I'm now out of
> ideas about how to solve this. Does anyone have any suggestions please?
Label your directory (assuming it's called /share/sophos here)
public_content_rw_t:
# semanage fcontext -a -t public_content_rw_t '/share/sophos(/.*)?'
# restorecon -rF /share/sophos
Give samba write access to public_content_rw_t:
# setsebool -P allow_smbd_anon_write=1
Cheers, Paul.
More information about the fedora-selinux-list
mailing list