Jaxelson: added category

2010-08-31T18:29:12Z

added category

←Older revision		Revision as of 18:29, 31 August 2010
Line 46:		Line 46:

	system-config-selinux is a GUI tool available to customize SELinux policy settings.		system-config-selinux is a GUI tool available to customize SELinux policy settings.
		+
		+	[[Category:Recipes]]

JoshuaBrindle: initial checkin of samba recipes

2009-11-20T20:02:34Z

initial checkin of samba recipes

New page

Samba is the SMB/CIFS daemon for sharing drives with Windows systems. It can be configured in a number of ways including sharing home directories, read only exports and so on. With SELinux you can enforce your Samba configuration so that even an exploit in Samba can't change the settings. A number of Samba recipes follow for common tasks.

= Sharing non-home directory files =
SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. If you
want to share files other than home directories, those files must be labeled ''samba_share_t''. So if you created a special directory ''/var/eng'',
you would need to label the directory with the chcon tool.

chcon -t samba_share_t /var/eng

To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:

# semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"

Run the restorecon command to apply the changes:

# restorecon -R -v /var/eng/

'''Note: You should not do the above for standard directories or home directories! For example directories owned by an RPM. If you wanted to share /usr via Samba, changing its context and all of the sub directories to ''samba_share_t'' would be a bad idea. Other confined domains would no longer be able to read /usr and this would cause havoc on the machine. There are two booleans that you can set to allow the sharing of standard directories. If you want to share any standard directory read/only you can set the boolean ''samba_export_all_ro''.'''

# setsebool -P samba_export_all_ro=1

This boolean will allow Samba to read every file on the system. Similarly if you want to share all files and directories via Samba, you set the ''samba_export_all_rw''

# setsebool -P samba_export_all_rw=1

This boolean would allow Samba to read and write every file on your system. So a compromised Samba server would be very dangerous.

= Sharing files with Apache, FTP, and Samba =
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of ''public_content_t'' and ''public_content_rw_t''. These context allow any of the above domains to read the content. If you want a particular domain to write to the ''public_content_rw_t'' domain, you must set the appropriate boolean. ''allow_'''DOMAIN'''_anon_write''. So for samba you would execute:

# setsebool -P allow_smbd_anon_write=1

= Sharing home directories with Samba =

SELinux policy is customizable based on least access required. So by default SElinux policy turns off SELinux sharing of home directories and the use of Samba shares from a remote machine as a home directory.

If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the ''samba_enable_home_dirs'' boolean.

# setsebool -P samba_enable_home_dirs=1

= Home directories are on a Samba server =

If you want to use a remote Samba server for the home directories on this machine, you must set the ''use_samba_home_dirs'' boolean.

setsebool -P use_samba_home_dirs 1

system-config-selinux is a GUI tool available to customize SELinux policy settings.

SambaRecipes - Revision history

Jaxelson: added category

JoshuaBrindle: initial checkin of samba recipes