On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote: > On Wed, 2006-04-05 at 13:26 -0700, Dan Thurman wrote: > > On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote: > > > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > > > > Folks, > > > > > > > > What is the procedure for creating Samba shares and > > > > getting around the SELinux issues? > > > > > > > > Samba by default no longer works with shares such > > > > as [homes] and any other added shares without administrator > > > > intervention to add SELinux labels on share directories. > > > > > > > > Please direct me to the FAQ for Samba & SELinux or > > > > please tell me what I have to do to get samba shares > > > > working. > > > > > > > > In my case - I am getting permission denied in the audit > > > > logs and in the message logs for nmbd, I am getting > > > > directories do not exists errors (when they actually > > > > do!). > > > > > > /usr/sbin/setsebool -P samba_enable_home_dirs=1 > > > /usr/sbin/setsebool -P smbd_disable_trans=1 > > > > > > That's what I had to do to get samba working with home shares on FC5. > > > > > > Bob > > > > > > > Thanks for the response! Yes, I did that for [home] but > > the problem is what to do with: /var/www > > > > There are many different contexts for this directory and all > > the files under it and I was not sure how to make this directory > > a samba share without blowing away the original context in fear > > of breaking it all to bits. > > > > I want to keep all the original context AND add samba share context > > OR the public_share_rw_t as Stephen Smalley recommended but I was > > not sure how to do that. This is the question I asked of Mr Smalley > > and I am waiting to hear of his response. > > You can't have multiple contexts for a file, so it's not possible AFAIK > to have both the original context *and* public_content_rw_t. > > If your web server is only serving static data (nothing that requires > write access to /var/www for the web server itself), you could > relabel /var/www/* as public_content_t. If you have internal scripting > like PHP that needs write access, you could use public_content_rw_t. > > However, if you're using cgi scripts that currently need > httpd_script_exec_t, you'd need to generate a local policy module that > allowed samba to read/write the httpd_* types. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Ugh... I am too stupid to figure this out. Can someone give me some examples, step-by-step how I can do it? Steps perform IN ORDER listed: 1) relabel /var/www a) chcon -R -t public_content_t /var/www b) chcon -R -t public_content_rw_t /var/www/html/php (hypothetical PHP area) 2) Local policy rules a) ???? I have no clue how to do this step! Thanks! Dan -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
