samba的share模式与SELinux的关系

refer: http://andrew.sayya.org/blog/?p=193

 

范例：使用samba分享出samba-share项目,并且该项目可以读可以写…等，

让匿名登入的使用者除了可以读之外也可以进行写的动作。

 

测试环境：RHEL 5.1 Server

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

# vi /etc/samba/smb.conf

1. [global]
2.         workgroup = smbgroup
3.         netbios name = smbname
4.         server string = just samba server
5.         security = share
6. [samba-share]
7.         comment = samba-share test dir
8.         path = /samba-share
9.         read only = no
10.         public = yes
11.         browseable = yes

*如果samba server共享(不需要密码)samba-share项目时,
  client要存取该项目时,SELinux预设无法存取。

# mkdir /samba-share

# chown nobody.nobody /samba-share

# ls -Zd /samba-share/

drwxr-xr-x  nobody nobody root:object_r:root_t             /samba-share/

# service smb restart

*登入samba服务并尝试做写入测试：
# smbclient //localhost/samba-share
Password:
Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4]
Server not using user level security and no password supplied.
smb: /> ls
  .                                   D        0  Fri Oct 17 21:23:06 2008
  ..                                  D        0  Fri Oct 17 21:23:06 2008

                50391 blocks of size 131072. 7298 blocks available
smb: /> mkdir xxx
NT_STATUS_ACCESS_DENIED making remote directory /xxx

• 奇怪为何read only = no有开启写入的动作，nobody的档案权限也正确，

为何不能写入？

1. # tail -n 1 /var/log/messages
2. Oct 17 21:31:41 nis setroubleshoot:      SELinux is preventing samba (/usr/sbin/smbd) "create" to xxx (root_t).
3.      For complete SELinux messages. run sealert -l db986eee-e0a6-42a1-b8a3-bfd530d4d2b3
4.  
5. *原来是SELinux的问题，除了sealert -l db986eee-e0a6-42a1-b8a3-bfd530d4d2b3
6. 提供的解决方法外，man page也有提供参考资料。

# man samba_selinux

1. FILE_CONTEXTS
2.  
3.     SELinux  requires files to have an extended attribute to define the file type.  Policy governs the access daemons have to these files.
4.     If you want to share files other than home directories, those files must be labeled samba_share_t.  So if you created a special direc-
5.     tory /var/eng, you would need to label the directory with the chcon tool.
6.  
7.     chcon -t samba_share_t /var/eng
8.  
9.     If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
10.  
11.     /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
12.         /var/eng(/.*)? system_u:object_r:samba_share_t

处理方式1：

1. # ls -dZ /samba-share/
2. drwxr-xr-x nobody nobody root:object_r:root_t /samba-share/
3.  
4. # chcon -R -t samba_share_t /samba-share/
5.  
6. # ls -dZ /samba-share/
7. drwxr-xr-x nobody nobody root:object_r:samba_share_t /samba-share/

*登入samba服务并尝试做写入测试： # smbclient //localhost/samba-share Password: Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4] Server not using user level security and no password supplied. smb: /> mkdir xxx smb: /> ls . D 0 Fri Oct 17 21:35:22 2008 .. D 0 Fri Oct 17 21:49:09 2008 xxx D 0 Fri Oct 17 21:35:22 2008 50391 blocks of size 131072. 7294 blocks available ======================================================== 处理方式2： # man samba_selinux

1. ...
2. SHARING FILES
3.     If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and pub-
4.     lic_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the
5.     public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
6.  
7.     setsebool -P allow_smbd_anon_write=1
8. ...

1. # ls -dZ /samba-share/
2. drwxr-xr-x  root root root:object_r:root_t             /samba-share/
3.  
4. # chcon -R -t public_content_rw_t /samba-share/
5.  
6. # ls -dZ /samba-share/
7. drwxr-xr-x  nobody nobody root:object_r:public_content_rw_t /samba-share/
8.  
9. 注：public_content_t(读)与public_content_rw_t(写)是所有domain
10. 共同可以存取的档案type，后者通常需要打开allow_xxx_anon_write项目
11. 的布林值，否则只具备读的权限而已。

• SELinux预设不开启这个布林值，所以只能读取不能写入。

# getsebool -a | grep allow_smbd_anon_write

allow_smbd_anon_write --> off

• 开启这个布林值之后就可以做写入的动作。

# setsebool -P allow_smbd_anon_write=1

*登入samba服务并尝试做写入测试：
# smbclient //localhost/samba-share
Password:
Domain=[SMBGROUP] OS=[Unix] Server=[Samba 3.0.25b-0.el5.4]
Server not using user level security and no password supplied.
smb: /> mkdir xxx
smb: /> ls
  .                                   D        0  Fri Oct 17 21:50:21 2008
  ..                                  D        0  Fri Oct 17 21:49:09 2008
  xxx                                 D        0  Fri Oct 17 21:50:21 2008

                50391 blocks of size 131072. 7294 blocks available