Samba conflicts with SELinux

Some time ago, the Samba server was installed on the 4*4-core server in the lab. After solving the hardware problems installed on the server, Samba was configured on the server, but when the client accessed samba, display error. The red exclamation point is displayed in the upper-right corner of the host machine. Click here to see The SELinux alarm. The alarm time is the same as the samba access time of each client. It is estimated that SELinux is too rigorous, search the client error information online and find out that samba conflicts with SELinux.

PS: when Mr. Cao started to use the mounting method to configure NSF, it was also a SELinux problem, which can be solved after being disabled.

Method 1: Disable SELinux and modify the configuration file so that SELinux is not started when the system starts. (I am using this method)

Disable SELinux

 

[Root @ Jie ~] #VI/etc/sysconfig/SELinux

# This file controls the state of SELinux on the system.
# SELinux = can take one of these three values:
# Enforcing-SELinux security policy is enforced.
# Permissive-SELinux prints warnings instead of enforcing.
# Disabled-SELinux is fully disabled.
SELinux = enforcing

# Selinuxtype = type of policy in use. Possible values are:
# Targeted-only targeted network daemons are protected.
# Strict-full SELinux protection.
Selinuxtype = targeted

Set SELinux to disable,SELinux will be stopped after the system is started next time.
Kernel Parameter)

Alternatively, you can add the SELinux = 0 (STOP) or SELinux = 1 (enable) parameter after the core parameter.

File/boot/GRUB/menu. lst

Title Fedora Core (2.6.18-1.2798.fc6)
Root (hd0, 0)
Kernel/vmlinuz-2.6.18-1.2798.fc6 Ro root = label =/rhgb quiet SELinux = 0
Initrd/initrd-2.6.18-1.2798.fc6.img

Check current SELinux status

You need to know whether you are using SELinux now:

# Getenforce

Disabled

 

Method 2: Disable SELinux to configure Samba (not tested)

Enable the following two lines in smb. conf (remove the; sign from the beginning of the line)
After setsebool-P samba_domain_controller on setsebool-P samba_enable_home_dirs on takes effect, the home directory can be read and written normally.
If you want to set the/home/samba/TEMP directory to full sharing, you should write the input in the character state: chcon-T samba_cmd_t/home/samba/temp do not forget to set the/home/samba/TEMP directory attribute to 777 at the same time. It should be no different from other FC versions.



By default, SELinux prohibits write operations on the shared directory on the Samba server on the network, even if you allow this operation in smb. conf.

If you have configured a shared directory/share and allow users to read and write data, but you do not want to disable SELinux, you can try the following operations:

ProgramCode:

#/Usr/sbin/setsebool-P allow_smbd_anon_write = 1
# Chcon-T public_content_rw_t/share

The first statement sets the SELinux release to mark the content of public_content_rw_t, and the second statement marks the/share directory to be shared as public_content_rw_t.

Attached SELinux materials:

 

About SELinux

SELinux provides a flexible Mandatory Access Control System (MAC) at the Linux kernel level. This mandatory access control system is built on a free access control system (DAC.

DAC means that the system's Secure Access Control is managed by the system administrator root and is not mandatory by the system.

When running Mac, for example, when an application or thread runs with a user UID or suid, it also has access control restrictions on some other objects, such as files and ets) or other threads

Running SELinux Mac kernel can protect the system from malicious program attacks, or the system's own bugs will not have a fatal impact on the system (limiting the impact to a certain extent)

SELinux defines access and transmission permissions for every user, program, process, and file. Manage the interaction between all these objects

For SELinux, you can set the strict degree or completely disable the object during installation as needed.

In most cases, SELinux is completely transparent to users. ordinary users do not feel the existence of SELinux. Only the system administrator needs to consider these user environments and policies. These policies can be deployed as needed or strictly restricted by applications. SELinux provides very specific control policies covering the entire Linux system.

For example, if an object, such as an application, wants to access a file object, the control program in the kernel checks the access Vector cache (AVC) and finds the target and object permissions from here, if no permission definition is found here, you can continue to query the upper and lower associations of the security definition and file permissions, and then decide whether to allow or deny access. If the information AVC: denied appears in var/log/messages, the access is denied.

The security association between the target and the object is determined by the installation policy. These installation policies are also responsible for generating a security list for the system to provide information.

In addition to the running force mode, SELinux can run in the license mode. At this time, after AVC is checked, the rejection is recorded. SELinux does not force this policy.

The following describes SELinux-related tools.

/Usr/bin/setenforce modify the real-time running mode of SELinux

Setenforce 1 sets SELinux to enforcing Mode

Setenforce 0 sets SELinux to permissive Mode

To completely disable SELinux, set SELinux to 0 in/etc/sysconfig/SELinux, or add this parameter to/etc/grub. conf.

/Usr/bin/setstatus-V