Home > Uncategorized > SELinux and Samba, file context tagging for reading by apache and samba

SELinux and Samba, file context tagging for reading by apache and samba

Needing to implement Samba primarily for the remote backup of data is a very common thing. But with SElinux, it can seem difficult, especially when dealing with different process domains.

With reference to CentOS: Setup Samba

In my instance, I wish to allow our backup software (residing on the server 192.168.100.11) to use a user backuprobot to access data over SMB. This data happens to be served by both httpd and now samba.

Restrict access to Samba’s bound port only to the backup server:

vim /etc/sysconfig/iptables

Add the following line where it is appropriate in the stack of iptables rules:

-A INPUT -s 192.168.100.11/32 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

Install samba:

yum -y install samba

Create the user backuprobot and the samba user backuprobot:

useradd backuprobot
passwd backuprobot
smbpasswd -a backuprobot

Configure the Samba service:

vim /etc/samba/smb.conf

Append the following to create the hidden Samba shares “sources$” and “webroot$”:

[sources$]
path=/reporoot/
valid users=backuprobot
public=no
writable=no
printable=no

[webroot$]
path=/var/www/
valid users=backuprobot
public=no
writable=no
printable=no[/source]
Deal with SElinux: (with reference to man samba_selinux)

Since the smb and httpd processes live in multiple selinux domains and will be accessing the files, the files’ contexts need to be set to allow such activity.
The two domains we’re concerned with allowing access are as follows:
Samba = read
Apache = read and write

In order to do this, we must tag the files with the context public_content_rw_t.

chcon -R -t public_content_rw_t /reporoot
chcon -R -t public_content_rw_t /var/www

Additionally, since we want to allow the httpd process to read and write files in /reporoot/, we must set the SElinux boolean setting allow_httpd_anon_write to on.

setsebool -P allow_httpd_anon_write on #take a nap

Since we don’t want writes to take place over Samba, we actually don’t need to set allow_smbd_anon_write to on.

After we test our lovely changes, we want to make the file context changes permenant (survivie a file system relabeling, or the use of restorecon).
I believe you can just modify /etc/selinux/targeted/contexts/files/file_contexts directly. But the docs I’ve come across suggest using semanage, which is part of the policycoreutils-python package:

yum -y install policycoreutils-python
semanage fcontext -a -t public_content_rw_t "/reporoot(/.*)?"
semanage fcontext -a -t public_content_rw_t "/var/www(/.*)?"

Obviously, give the user permissions to the files.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: