User login |
samba_selinux (8)
samba_selinux(8) Samba Selinux Policy documentation samba_selinux(8)
NAME
samba_selinux - Securing Samba with SELinux
DESCRIPTION
Security-Enhanced Linux secures the Samba server via flexible mandatory
access control. SELinux Samba policy defaults to least privilege
access. Several Booleans and file contexts are available to customize
the way Samba SELinux works.
SHARING FILES
SELinux requires files be labeled with an extended attribute to define
the file type. Policy governs the access daemons have to these files.
When sharing files with Samba you have many options on how to label the
files. If you want to share files/directories other than home directo-
ries or standard directory. You should label these files/directories
as samba_share_t. For example if you created the directory /var/eng,
you can label the directory and its contents with the chcon tool.
# chcon -R -t samba_share_t /var/eng
This label will not survive a relabel. A better solution to make the
change permanent, you must tell the SELinux system about the label cus-
tomization. The semanage command can customize the default file con-
texts on your machine. restorecon will read the file_context and apply
it to the files and directories..
# semange fcontext -a -t samba_share_t '/var/eng(/.*)?'
# restorecon -R -v /var/eng
SHARING HOME DIRECTORIES
By default SELinux policy turns off SELinux sharing of home directories
If you are setting up this machine as a Samba server and wish to share
the home directories, you need to set the samba_enable_home_dirs
boolean.
# setsebool -P samba_enable_home_dirs 1
SHARING PUBLIC FILES
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and public_con-
tent_rw_t. These context allow any of the above domains to read the
content. If you want a particular domain to write to the public_con-
tent_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write. So for samba you would execute:
# semange fcontext -a -t public_content_rw_t '/var/eng(/.*)?'
# restorecon -R -v /var/eng
# setsebool -P allow_smbd_anon_write 1
SHARING FILES SYSTEM FILES
Note: You should not do the above for standard directories or home
directories! For example directories owned by an RPM. If you wanted
to share /usr via Samba, changing its context and all of the sub direc-
tories to samba_share_t would be a bad idea. Other confined domains
would no longer be able to read /usr and this would cause havoc on the
machine. There are two booleans that you can set to allow the sharing
of standard directories. If you want to share any standard directory
read/only you can set the boolean samba_export_all_ro.
# setsebool -P samba_export_all_ro 1
This boolean will allow Samba to read every file on the system.Simi-
larly if you want to share all files and directories via Samba, you set
the samba_export_all_rw
# setsebool -P samba_export_all_rw 1
This boolean would allow Samba to read and write every file on your
system. So a compromised Samba server would be very dangerous.
SHARING PUBLIC NFS FILES
SELinux prevents the Samba daemons from reading/writing nfs shares by
default. If you are using samba to share NFS file systems you need to
turn on the samba_share_nfs boolean
# setsebool -P samba_share_nfs 1
USING CIFS/SAMBA HOME DIRECTORIES
Samba SELinux policy will not allow any confined applications to access
remote samba shares mounted on your machine. If you want to use a
remote Samba server for the home directories on this machine, you must
set the use_samba_home_dirs boolean.
# setsebool -P use_samba_home_dirs 1
SAMBA Scripts
Samba can be setup to run user defined scripts, by default if you
install these scripts /var/lib/samba/scripts they will be labeled
samba_unconfined_script_exec_t. Since these scripts can do just about
anything on the system you can run them as unconfined. But you need to
turn on the samba_run_unconfined boolean
# setsebool -P samba_run_unconfined 1
If you are willing to write policy an interface exists in samba.if
called samba_helper_template(APP). This interface will create a file
context of samba_APP_script_exec_t, and a domain of samba_APP_script_t.
Samba will transition scripts labeled samba_app_script_exec_t to
samba_APP_script_t, you can then user audit2allow to write policy to
confine your script.
USING SAMBA AS A DOMAIN CONTROLLER
If you want to run samba as a domain controller, IE Add machines to the
passwd file on a Linux box, you need to turn on the samba_domain_con-
troller boolean. This allows the Samba daemon to run and transition to
the passwd, useradd, and groupadd utilities. These tools can manipu-
late the passwd database.
GUI system-config-selinux
system-config-selinux is a GUI tool available to customize all of the
SELinux booleans and file context described above.
AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
SEE ALSO
selinux(8), semanage(8), samba(7), chcon(1), setsebool(8), restore-
con(8),
<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a> 9 Nov 2007 samba_selinux(8)
|