SELinux and Samba, file context tagging for reading by apache and samba
Needing to implement Samba primarily for the remote backup of data is a very common thing. But with SElinux, it can seem difficult, especially when dealing with different process domains.
With reference to CentOS: Setup Samba…
In my instance, I wish to allow our backup software (residing on the server 192.168.100.11) to use a user backuprobot to access data over SMB. This data happens to be served by both httpd and now samba.
Restrict access to Samba’s bound port only to the backup server:
Add the following line where it is appropriate in the stack of iptables rules:
-A INPUT -s 192.168.100.11/32 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
yum -y install samba
Create the user backuprobot and the samba user backuprobot:
useradd backuprobot passwd backuprobot smbpasswd -a backuprobot
Configure the Samba service:
Append the following to create the hidden Samba shares “sources$” and “webroot$”:
Deal with SElinux: (with reference to man samba_selinux)
Since the smb and httpd processes live in multiple selinux domains and will be accessing the files, the files’ contexts need to be set to allow such activity.
The two domains we’re concerned with allowing access are as follows:
Samba = read
Apache = read and write
In order to do this, we must tag the files with the context public_content_rw_t.
chcon -R -t public_content_rw_t /reporoot chcon -R -t public_content_rw_t /var/www
Additionally, since we want to allow the httpd process to read and write files in /reporoot/, we must set the SElinux boolean setting allow_httpd_anon_write to on.
setsebool -P allow_httpd_anon_write on #take a nap
Since we don’t want writes to take place over Samba, we actually don’t need to set allow_smbd_anon_write to on.
After we test our lovely changes, we want to make the file context changes permenant (survivie a file system relabeling, or the use of restorecon).
I believe you can just modify /etc/selinux/targeted/contexts/files/file_contexts directly. But the docs I’ve come across suggest using semanage, which is part of the policycoreutils-python package:
yum -y install policycoreutils-python semanage fcontext -a -t public_content_rw_t "/reporoot(/.*)?" semanage fcontext -a -t public_content_rw_t "/var/www(/.*)?"
Obviously, give the user permissions to the files.