samba的share模式與SELinux的關係

refer: http://andrew.sayya.org/blog/?p=193

 

範例：使用samba分享出samba-share項目,並且該項目可以讀可以寫…等，

讓匿名登入的使用者除了可以讀之外也可以進行寫的動作。

 

測試環境：RHEL 5.1 Server

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

# vi /etc/samba/smb.conf

1. [global]
2.         workgroup = smbgroup
3.         netbios name = smbname
4.         server string = just samba server
5.         security = share
6. [samba-share]
7.         comment = samba-share test dir
8.         path = /samba-share
9.         read only = no
10.         public = yes
11.         browseable = yes

*如果samba server共享(不需要密碼)samba-share項目時,
  client要存取該項目時,SELinux預設無法存取。

# mkdir /samba-share

# chown nobody.nobody /samba-share

# ls -Zd /samba-share/

drwxr-xr-x  nobody nobody root:object_r:root_t             /samba-share/

# service smb restart

*登入samba服務並嘗試做寫入測試：
# smbclient //localhost/samba-share
Password:
Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4]
Server not using user level security and no password supplied.
smb: /> ls
  .                                   D        0  Fri Oct 17 21:23:06 2008
  ..                                  D        0  Fri Oct 17 21:23:06 2008

                50391 blocks of size 131072. 7298 blocks available
smb: /> mkdir xxx
NT_STATUS_ACCESS_DENIED making remote directory /xxx

• 奇怪為何read only = no有開啟寫入的動作，nobody的檔案權限也正確，

為何不能寫入？

1. # tail -n 1 /var/log/messages
2. Oct 17 21:31:41 nis setroubleshoot:      SELinux is preventing samba (/usr/sbin/smbd) "create" to xxx (root_t).
3.      For complete SELinux messages. run sealert -l db986eee-e0a6-42a1-b8a3-bfd530d4d2b3
4.  
5. *原來是SELinux的問題，除了sealert -l db986eee-e0a6-42a1-b8a3-bfd530d4d2b3
6. 提供的解決方法外，man page也有提供參考資料。

# man samba_selinux

1. FILE_CONTEXTS
2.  
3.     SELinux  requires files to have an extended attribute to define the file type.  Policy governs the access daemons have to these files.
4.     If you want to share files other than home directories, those files must be labeled samba_share_t.  So if you created a special direc-
5.     tory /var/eng, you would need to label the directory with the chcon tool.
6.  
7.     chcon -t samba_share_t /var/eng
8.  
9.     If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
10.  
11.     /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
12.         /var/eng(/.*)? system_u:object_r:samba_share_t

處理方式1：

1. # ls -dZ /samba-share/
2. drwxr-xr-x nobody nobody root:object_r:root_t /samba-share/
3.  
4. # chcon -R -t samba_share_t /samba-share/
5.  
6. # ls -dZ /samba-share/
7. drwxr-xr-x nobody nobody root:object_r:samba_share_t /samba-share/

*登入samba服務並嘗試做寫入測試： # smbclient //localhost/samba-share Password: Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4] Server not using user level security and no password supplied. smb: /> mkdir xxx smb: /> ls . D 0 Fri Oct 17 21:35:22 2008 .. D 0 Fri Oct 17 21:49:09 2008 xxx D 0 Fri Oct 17 21:35:22 2008 50391 blocks of size 131072. 7294 blocks available ======================================================== 處理方式2： # man samba_selinux

1. ...
2. SHARING FILES
3.     If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and pub-
4.     lic_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the
5.     public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
6.  
7.     setsebool -P allow_smbd_anon_write=1
8. ...

1. # ls -dZ /samba-share/
2. drwxr-xr-x  root root root:object_r:root_t             /samba-share/
3.  
4. # chcon -R -t public_content_rw_t /samba-share/
5.  
6. # ls -dZ /samba-share/
7. drwxr-xr-x  nobody nobody root:object_r:public_content_rw_t /samba-share/
8.  
9. 註：public_content_t(讀)與public_content_rw_t(寫)是所有domain
10. 共同可以存取的檔案type，後者通常需要打開allow_xxx_anon_write項目
11. 的布林值，否則只具備讀的權限而已。

• SELinux預設不開啟這個布林值，所以只能讀取不能寫入。

# getsebool -a | grep allow_smbd_anon_write

allow_smbd_anon_write --> off

• 開啟這個布林值之後就可以做寫入的動作。

# setsebool -P allow_smbd_anon_write=1

*登入samba服務並嘗試做寫入測試：
# smbclient //localhost/samba-share
Password:
Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4]
Server not using user level security and no password supplied.
smb: /> mkdir xxx
smb: /> ls
  .                                   D        0  Fri Oct 17 21:50:21 2008
  ..                                  D        0  Fri Oct 17 21:49:09 2008
  xxx                                 D        0  Fri Oct 17 21:50:21 2008

                50391 blocks of size 131072. 7294 blocks available