refer: http://andrew.sayya.org/blog/?p=193
范例:使用samba分享出samba-share项目,并且该项目可以读可以写…等,
让匿名登入的使用者除了可以读之外也可以进行写的动作。
测试环境:RHEL 5.1 Server
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted
# vi /etc/samba/smb.conf
-
[global]
-
workgroup = smbgroup
-
netbios name = smbname
-
server string = just samba server
-
security = share
-
[samba-share]
-
comment = samba-share test dir
-
path = /samba-share
-
read only = no
-
public = yes
-
browseable = yes
*如果samba server共享(不需要密码)samba-share项目时, client要存取该项目时,SELinux预设无法存取。
# mkdir /samba-share
# chown nobody.nobody /samba-share
# ls -Zd /samba-share/
drwxr-xr-x nobody nobody root:object_r:root_t /samba-share/
# service smb restart *登入samba服务并尝试做写入测试: # smbclient //localhost/samba-share Password: Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4] Server not using user level security and no password supplied. smb: /> ls . D 0 Fri Oct 17 21:23:06 2008 .. D 0 Fri Oct 17 21:23:06 2008 50391 blocks of size 131072. 7298 blocks available smb: /> mkdir xxx NT_STATUS_ACCESS_DENIED making remote directory /xxx
-
奇怪为何read only = no有开启写入的动作,nobody的档案权限也正确,
为何不能写入?
-
# tail -n 1 /var/log/messages
-
Oct 17 21:31:41 nis setroubleshoot: SELinux is preventing samba (/usr/sbin/smbd) "create" to xxx (root_t).
-
For complete SELinux messages. run sealert -l db986eee-e0a6-42a1-b8a3-bfd530d4d2b3
-
-
*原来是SELinux的问题,除了sealert -l db986eee-e0a6-42a1-b8a3-bfd530d4d2b3
-
提供的解决方法外,man page也有提供参考资料。
-
FILE_CONTEXTS
-
-
SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files.
-
If you want to share files other than home directories, those files must be labeled samba_share_t. So if you created a special direc-
-
tory /var/eng, you would need to label the directory with the chcon tool.
-
-
chcon -t samba_share_t /var/eng
-
-
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
-
-
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-
/var/eng(/.*)? system_u:object_r:samba_share_t
处理方式1:
-
# ls -dZ /samba-share/
-
drwxr-xr-x nobody nobody root:object_r:root_t /samba-share/
-
-
# chcon -R -t samba_share_t /samba-share/
-
-
# ls -dZ /samba-share/
-
drwxr-xr-x nobody nobody root:object_r:samba_share_t /samba-share/
-
...
-
SHARING FILES
-
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and pub-
-
lic_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the
-
public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
-
-
setsebool -P allow_smbd_anon_write=1
-
...
-
# ls -dZ /samba-share/
-
drwxr-xr-x root root root:object_r:root_t /samba-share/
-
-
# chcon -R -t public_content_rw_t /samba-share/
-
-
# ls -dZ /samba-share/
-
drwxr-xr-x nobody nobody root:object_r:public_content_rw_t /samba-share/
-
-
注:public_content_t(读)与public_content_rw_t(写)是所有domain
-
共同可以存取的档案type,后者通常需要打开allow_xxx_anon_write项目
-
的布林值,否则只具备读的权限而已。
-
SELinux预设不开启这个布林值,所以只能读取不能写入。
# getsebool -a | grep allow_smbd_anon_write
allow_smbd_anon_write --> off
-
开启这个布林值之后就可以做写入的动作。
# setsebool -P allow_smbd_anon_write=1
*登入samba服务并尝试做写入测试: # smbclient //localhost/samba-share Password: Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4] Server not using user level security and no password supplied. smb: /> mkdir xxx smb: /> ls . D 0 Fri Oct 17 21:50:21 2008 .. D 0 Fri Oct 17 21:49:09 2008 xxx D 0 Fri Oct 17 21:50:21 2008
50391 blocks of size 131072. 7294 blocks available