SELinux server does not disable the samba configuration method

We recommend a very good SELinux system with great learning value. Here I will mainly explain the application of SELinux system, including the introduction of SELinux knowledge. Some time ago, the Samba server was installed on the 4*4-core server in the lab. After solving the hardware problems installed on the server, Samba was configured on the server, but when the client accessed Samba, display error. The red exclamation point is displayed in the upper-right corner of the host machine.

Click here to see The SELinux alarm. The alarm time is the same as the time when each client accesses samba. It is estimated that SELinux is too rigorous and the client error information is searched online, it turns out that samba conflicts with SELinux.

PS: when Mr. Cao started to use the mounting method to configure NSF, it was also a SELinux problem, which can be solved after being disabled. Method 1: Disable SELinux and modify the configuration file so that SELinux is not started when the system starts. I am using this method)

 
 

  
  
Disable selinux   
  
  
[root@Jie ~]#  vi /etc/sysconfig/selinux  
  
  
# This file controls the state of SELinux on the system.  
  
  
# SELINUX= can take one of these three values:  
  
  
#       enforcing - SELinux security policy is enforced.  
  
  
#       permissive - SELinux prints warnings instead of enforcing.  
  
  
#       disabled - SELinux is fully disabled.  
  
  
SELINUX=enforcing 
  
  
# SELINUXTYPE= type of policy in use. Possible values are:  
  
  
#       targeted - Only targeted network daemons are protected.  
  
  
#       strict - Full SELinux protection.  
  
  
SELINUXTYPE=targeted 
 
 

Set SELINUX to disable. After the system is started, SElinux will be stopped. Linux core Parameter (Kernel Parameter) or you can add selinux = 0 after the core Parameter) or selinux = 1 (Enabled) Parameter file/boot/grub/menu. lst

 
 

  
  
title Fedora Core (2.6.18-1.2798.fc6)  
  
  
root (hd0,0)  
  
  
kernel /vmlinuz-2.6.18-1.2798.fc6 ro root=LABEL=/ rhgb quiet  selinux=0 
  
  
initrd /initrd-2.6.18-1.2798.fc6.img 
 
 

Check the current status of SELinux to see if you are using SELinux: # getenforce disabled

Method 2: The method for configuring samba without SELinux being disabled is not tested)

Set smb. the following two lines in conf are enabled to remove the first line; the number is OK) after setsebool-P samba_domain_controller on setsebool-P samba_enable_home_dirs on takes effect, the home directory can be read and written normally.

If you want to set the/home/samba/temp directory to full sharing, you should write the input in the character state: chcon-t samba_cmd_t/home/samba/temp do not forget to set the/home/samba/temp directory attribute to 777 at the same time. It should be no different from other FC versions.

By default, SELinux prohibits write operations on the shared directory on the Samba server on the network, even if you allow this operation in smb. conf. If you have configured a shared directory/share and allow users to read and write data, but you do not want to disable SELinux, you can try the following operations:

Program code:

 
 

  
  
#/usr/sbin/setsebool -P allow_smbd_anon_write=1   
  
  
#chcon -t public_content_rw_t /share  
 
 

The first statement sets the SELinux release to mark the content of public_content_rw_t, and the second statement marks the/share directory to be shared as public_content_rw_t. Attachment SELinux: selinux introduction SElinux provides a flexible Mandatory Access Control System (MAC) at the Linux kernel level. This mandatory access control system is built on a free access control system (DAC).

DAC means that the system's Secure Access Control is freely managed by the system administrator root, not when the system forces MAC to run, for example, when an application or a thread runs with a user UID or SUID, it also has access control restrictions on some other objects, such as files and ETS) or other threads can run the SElinux MAC kernel to protect the system from malicious programs.

Or the system bug does not impose a critical impact on the system. SElinux defines access and transmission permissions for every user, program, process, and file. Manage the interaction between all these objects

For SELinux, you can specify the degree of strictness when installing the object as needed, or disable SElinux completely. In most cases, SELinux is completely transparent to users, ordinary users do not feel the existence of Selinux. Only the system administrator needs to consider these user environments and policies.

These policies can be deployed as needed or strictly restricted by applications. Selinux provides very specific control policies covering the entire linux system, for example, when an object, such as an application, wants to access a file object, the control program in the kernel checks the access Vector cache (AVC) and finds the target and object permissions here.

If no permission definition is found here, you can continue to query the upper and lower associations of the security definition and file permissions, and then decide whether to allow or deny access. If the information avc: denied appears in var/log/messages, the access is denied.

The security association between the target and the object is determined by the installation policy. These installation policies are also responsible for generating a security list for the system to provide information. In addition to the running force mode, SELinux can run in the license mode. At this time, after AVC is checked, the rejection is recorded. Selinux does not force this policy.

The following describes SELinux-related tools.

 
 

  
  
/Usr/bin/setenforce modify the real-time running mode of SELinux
  
  
Setenforce 1 sets SELinux to enforcing Mode
  
  
Setenforce 0 sets SELinux to permissive Mode
 
 

To completely disable SELinux, set selinux to 0 in/etc/sysconfig/selinux, or add this parameter/usr/bin/setstatus-v to/etc/grub. conf.

1. Relationship between Fedora vsFTPd and firewall and SELINUX
2. How to disable SELinux in Redhat Enterprise Linux
3. Ubuntu Linux has started to support SELinux technology.
4. Relationship between vsFTPd servers, firewalls, and SELinux
5. Dell joins the Microsoft Novell alliance to push SuseLinux Software