1

I mounted my 5tb worth of /data to my new linux RHEL 7.7 server.

I have selinux as enforcing; I have /data samba shared out and it is mostly working. But when I go a few folders deep into /data/ I get access denied. If I do a chcon -t samba_share_t on that specific sub folder then samba works going into that subfolder. Go a little deeper, same problem.

How do I properly just make everything under my /data/ folder have samba_share_t and just work with samba?

so fed up with selinux

ron
  • 5,749
  • 7
  • 48
  • 84
  • Is `/data` only used by samba are there other processes/users on the server using the same files? – sebasth May 05 '20 at 13:31
  • What makes the policy apply samba_share_t to a tree ? Yes, it is probably a nice regexp ! – Stefan Skoglund May 05 '20 at 13:58
  • It you can deduce why something would have samba_share_t by default, then apply an equivalence between that and your current situation. – Stefan Skoglund May 05 '20 at 13:59
  • user's vnc or putty into the server, and create/process data under `/data`. Samba is used to share out `/data` so users from their windows pc can navigate into `/data` to insert or extract files as needed – ron May 05 '20 at 15:58

2 Answers2

2

If /data is only used by samba you can use context mount option to set file context to samba_share_t for all files on /data, eg. context="system_u:object_r:samba_share_t:s0" in fstab. Mount time context option overrides existing file labels, but does not modify disk contents. File labels can not be changed on context mounts, all files have the same label.

If mount option is not an option, the usual way to configure file context is with semanage fcontext. Use semanage fcontext -a -t samba_share_t '/data(/.*)?' to add the context to database and apply new file contexts (recursively) using restorecon -r /data.

If you have other users/servers accessing the data (in addition to samba), you have a couple options.

  • You can enable samba_export_all_ro or samba_export_all_rw boolean which enable very broad read-only or read-write access (assuming samba can read the files in first place, SELinux rules are applied after standard permission checks). Note that enabling either boolean makes the security policy much more permissive.

  • Use the mount option as described above and generate a custom policy allowing other processes access files with samba_share_t. Set the other process to run in permissive mode (requires process/service restart) to generate log entries. Then use audit2allow to generate the necessary policy. Insert the policy and set the other back in enforcing mode. If you get more AVC errors, you can repeat the process to append the custom policy.

    This can be applied also the other way (allowing samba to access files with different context, but then you likely have the same problem that files in /data have a wrong context).

  • Write a custom policy with that defines a new file context with desired access for other domains.

Community
  • 1
sebasth
  • 14,332
  • 4
  • 50
  • 68
  • so i'm still lost/confused. I was thinking the *best* solution was to just make everything under `/data/` have `samba_share_t` ? Because that's what I think i want? Pretty sure I do not want *samba_export_all_rw=1*. I'd prefer not to do the mount option in /etc/fstab. My `/data` is an XFS file system for what it's worth. – ron May 05 '20 at 16:01
  • The best option (if `/data` is only used by samba) is to label everything under `/data` with `samba_share_t`. Mount option will do just that, except it will not modify extended attributes where the label is usually shared. In my opinion modifying mount option would be possibly the simplest option. The other option is to add context using semanage and applying it with restorecon, like I explained in the [answer to your earlier question](https://unix.stackexchange.com/a/584302/239817). – sebasth May 05 '20 at 16:56
0

so here is what I did, I think my main problem was incorrectly typing syntax which is why I was having problems.

  • I have an 8 disk raid-5 volume via LSI raid card in a server; it had been formatted as XFS and mounted under SLES 11.4 for the last ~10 years.
  • replaced the one operating system disk and now running RHEL 7.8 with selinux enforcing.
  • I mount my XFS file system as /data under RHEL 7. the following syntax is imperative especially for semanage

-

 semanage fcontext -a -t samba_share_t "/data(/.*)?"

 restorecon -vR /data


# to samba share out home directories, if in your smb.conf

setsebool -P samba_enable_home_dirs on

Now one can possibly do chcon -t samba_share_t /data/folder1/folder2/folder3

but that quickly becomes a non solution when you have 10 years worth of data and millions of files/folders. It was a quick diagnostic when selinux=enforcing and access was denied to a particular sub folder; doing a chcon -t samba_share_t would then allow immediate access to said sub folder. The solution seemed to be the proper syntax when using semanage fcontext with the " followed by the restorecon -vR

The semanage took about 30 seconds to complete, and the restorecon about 2 minutes, on 5TB worth of data.

If curious:

/etc/fstab` is this in RHEL 7.8

/dev/disk/by-uuid/e16528d8-ec26-4441-828a-d399b46e4a21 /data auto nosuid,nodev,nofail 0 0

# ------------------------------------------------------------------------

/etc/samba/smb.conf

[global]
    workgroup = SAMBA
    security = user

    passdb backend = tdbsam

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes
#   cups options = raw

[homes]
    comment = Home Directories
    valid users = %S, %D%w%S 
    browseable = No
    read only = No
    inherit acls = Yes

[data]
    comment = data
    inherit acls = Yes
    read only = No
    path = /data
    directory mask = 770
    create mask = 660

# ------------------------------------------------------------------------
/etc/selinux/config

# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.

SELINUX=enforcing
SELINUXTYPE=targeted
ron
  • 5,749
  • 7
  • 48
  • 84