2

Can I get clarification on how to properly set up samba folder shares on a RHEL/CENTOS 7 linux server having selinux enforcing.

SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. If you want to share files other than home directories, those files must be labeled samba_share_t. So if you created a special directory /var/eng, you would need to label the directory with the chcon tool.

To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration

chcon -t samba_share_t /data


semanage fcontext -a -t samba_share_t /data

     or

semanage fcontext -a -t samba_share_t /data*
  1. Do I always need to do the chcon -t samba_share_t /folder to make it work, or can I get away with just doing the semanage ?
  2. Do I need to chcon -t samba_share_t just the folder that is to be listed in /etc/samba/smb.conf or do I need to label every sub folder and file under the samba shared folder?
  3. Likewise with the semanage fcontext -a -t samba_share_t, do I only apply this to just the single folder specified as the share in /etc/samba/smb.conf, or does it require it be applied to every file and sub folder under the samba shared folder and if so how is that done?
Community
  • 1
ron
  • 5,749
  • 7
  • 48
  • 84

1 Answers1

3

semanage fcontext modifies file context database. The database is queried when file system is relabeled and when restoring file context with restorecon. Adding an entry, does not apply the new context. Changes made with chcon are applied directly, but aren't added to file context database and don't survive restorecon or file system relabeling.

When you add new path to file context database with semanage fcontext, the easiest way to apply the new context is with restorecon. You possibly want to use pattern such as /data(/.*)? to also include files and sub-directories with the same rule. restorecon can then be used with recursive option to relabel existing files.

New files by default inherit the file context of parent folder, unless there are specific rules in the policy to create new files with custom context.

If /data is a separate partition, you can set the file context also using context mount. File contexts can't be modified if they are set using mount option and only one file context is possible, but no file system modifications (restorecon/relabeling) are required and allows setting file context to file systems which do not support extended attributes.

For more details and examples you can check RHEL documentation.

sebasth
  • 14,332
  • 4
  • 50
  • 68
  • thanks. so if I samba share out `/data` and then what should I specifically do to ensure surviving file system relabel and no *var/log/messages* or *audit.log* errors and warnings? I just want samba to work with zero hassle and no error/warnings with selinux enforcing. My *data* folder is a mounted 8 disk raid-5 array with 5tb of stuff. – ron May 04 '20 at 00:46
  • my `/data` is a raid-5 volume that was mounted under SLES 11.4. I updated my server to RHEL 7.8 and remounted `/data` and samba shared that back out, for the most part successfully *with selinux as permissive* but seeing lots of warnings. – ron May 04 '20 at 00:47
  • If i do something like `/data(/.*)?` does that add any entry in whatever *context database* for **everything** under `/data` ? My data is 10+ years with millions of files. So I'm scared and unsure and don't want to muck things up. – ron May 04 '20 at 00:52
  • If `/data` is a separate partition, you could mount it with [context mount](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts) to set the file context at mount time for all files. This would avoid modifications on the filesystem. – sebasth May 04 '20 at 10:14