refer: http://andrew.sayya.org/blog/?p=193
範例:使用samba分享出samba-share項目,並且該項目可以讀可以寫…等,
讓匿名登入的使用者除了可以讀之外也可以進行寫的動作。
測試環境:RHEL 5.1 Server
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted
# vi /etc/samba/smb.conf
-
[global]
-
workgroup = smbgroup
-
netbios name = smbname
-
server string = just samba server
-
security = share
-
[samba-share]
-
comment = samba-share test dir
-
path = /samba-share
-
read only = no
-
public = yes
-
browseable = yes
*如果samba server共享(不需要密碼)samba-share項目時, client要存取該項目時,SELinux預設無法存取。
# mkdir /samba-share
# chown nobody.nobody /samba-share
# ls -Zd /samba-share/
drwxr-xr-x nobody nobody root:object_r:root_t /samba-share/
# service smb restart *登入samba服務並嘗試做寫入測試: # smbclient //localhost/samba-share Password: Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4] Server not using user level security and no password supplied. smb: /> ls . D 0 Fri Oct 17 21:23:06 2008 .. D 0 Fri Oct 17 21:23:06 2008 50391 blocks of size 131072. 7298 blocks available smb: /> mkdir xxx NT_STATUS_ACCESS_DENIED making remote directory /xxx
-
奇怪為何read only = no有開啟寫入的動作,nobody的檔案權限也正確,
為何不能寫入?
-
# tail -n 1 /var/log/messages
-
Oct 17 21:31:41 nis setroubleshoot: SELinux is preventing samba (/usr/sbin/smbd) "create" to xxx (root_t).
-
For complete SELinux messages. run sealert -l db986eee-e0a6-42a1-b8a3-bfd530d4d2b3
-
-
*原來是SELinux的問題,除了sealert -l db986eee-e0a6-42a1-b8a3-bfd530d4d2b3
-
提供的解決方法外,man page也有提供參考資料。
-
FILE_CONTEXTS
-
-
SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files.
-
If you want to share files other than home directories, those files must be labeled samba_share_t. So if you created a special direc-
-
tory /var/eng, you would need to label the directory with the chcon tool.
-
-
chcon -t samba_share_t /var/eng
-
-
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
-
-
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-
/var/eng(/.*)? system_u:object_r:samba_share_t
處理方式1:
-
# ls -dZ /samba-share/
-
drwxr-xr-x nobody nobody root:object_r:root_t /samba-share/
-
-
# chcon -R -t samba_share_t /samba-share/
-
-
# ls -dZ /samba-share/
-
drwxr-xr-x nobody nobody root:object_r:samba_share_t /samba-share/
-
...
-
SHARING FILES
-
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and pub-
-
lic_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the
-
public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
-
-
setsebool -P allow_smbd_anon_write=1
-
...
-
# ls -dZ /samba-share/
-
drwxr-xr-x root root root:object_r:root_t /samba-share/
-
-
# chcon -R -t public_content_rw_t /samba-share/
-
-
# ls -dZ /samba-share/
-
drwxr-xr-x nobody nobody root:object_r:public_content_rw_t /samba-share/
-
-
註:public_content_t(讀)與public_content_rw_t(寫)是所有domain
-
共同可以存取的檔案type,後者通常需要打開allow_xxx_anon_write項目
-
的布林值,否則只具備讀的權限而已。
-
SELinux預設不開啟這個布林值,所以只能讀取不能寫入。
# getsebool -a | grep allow_smbd_anon_write
allow_smbd_anon_write --> off
-
開啟這個布林值之後就可以做寫入的動作。
# setsebool -P allow_smbd_anon_write=1
*登入samba服務並嘗試做寫入測試: # smbclient //localhost/samba-share Password: Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4] Server not using user level security and no password supplied. smb: /> mkdir xxx smb: /> ls . D 0 Fri Oct 17 21:50:21 2008 .. D 0 Fri Oct 17 21:49:09 2008 xxx D 0 Fri Oct 17 21:50:21 2008
50391 blocks of size 131072. 7294 blocks available