SELinux blocking Samba share mounting?

Fri Feb 13 16:53:53 UTC 2009

Steven Stromer wrote:
>> What's the output of:
>>
>> # audit2allow < /var/log/audit/audit.log
>>
>> Paul.
>>
> 
> 
> Paul,
> 
> Thanks for the time! I understand what you are saying. I have set:
> 
> chcon -R -h -t home_root_t /home
> 
> so that the entire path's heirarchy will be consistent,

No no, this is wrong. home_root_t is for directories that *contain* home 
directories, not the home directories and their contents themselves.

I'd do a "restorecon -RF /home" to fix that, then put back the contexts 
on your share areas as you wanted them (e.g. samba_share_t or 
public_content_rw_t etc.).

Better still, I'd move your shares from under /home to under /srv if 
that's a possibility.

 > and then:
> 
> setsebool -P use_samba_home_dirs 1
> 
> Tried connecting, but still unsuccessful, so, output of audit2allow < 
> /var/log/audit/audit.log is:
> 
> #============= smbd_t ==============
> allow smbd_t home_root_t:dir { search getattr };
> allow smbd_t httpd_sys_content_t:dir search;
> 
> 
> Trying to mount /home/server1/PHFiles generates in 
> /var/log/audit/audit.log:
> 
> type=AVC msg=audit(1234540788.851:16207): avc:  denied  { search } for  
> pid=26783 comm="smbd" name="/" dev=dm-2 ino=2 
> scontext=root:system_r:smbd_t:s0 
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> type=SYSCALL msg=audit(1234540788.851:16207): arch=c000003e syscall=4 
> success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0 a2=7fff19c3c6a0 a3=3 
> items=0 ppid=17598 pid=26783 auid=0 uid=500 gid=0 euid=500 suid=0 
> fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=122 comm="smbd" 
> exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)

Contexts need repairing before looking at these again.

> Trying to mount /var/www/html generates in /var/log/audit/audit.log:
> 
> type=AVC msg=audit(1234540890.725:16214): avc:  denied  { search } for  
> pid=26785 comm="smbd" name="www" dev=dm-3 ino=6815745 
> scontext=root:system_r:smbd_t:s0 
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
> type=SYSCALL msg=audit(1234540890.725:16214): arch=c000003e syscall=4 
> success=no exit=-13 a0=2b119e168ff0 a1=7fff19c3c6a0 a2=7fff19c3c6a0 a3=3 
> items=0 ppid=17598 pid=26785 auid=0 uid=500 gid=0 euid=500 suid=0 
> fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=122 comm="smbd" 
> exe="/usr/sbin/smbd" subj=root:system_r:smbd_t:s0 key=(null)

/var/www is supposed to be readable under httpd only, not samba, so it's 
normal for these not to work. For both servers to be able to access the 
files (and samba to write them), you'll need /var/www and everything 
underneath it to be public_content_rw_t and to set the boolean 
allow_smbd_anon_write. If you need CGI scripts rather than just static 
content and built-in scripting (e.g. PHP) then you'll need a local 
policy module to allow samba access using the existing httpd_* types 
instead.

Paul.