Fix Samba SELinux context

Dec 23 2020 - 2 min read

I’m using a local Samba container service running with Podman 1.6.4 on a CentOS 8.2 server.

CentOS 8.2 host:

[moore@neuralux stackdata]$ cat /etc/redhat-release 
CentOS Linux release 8.2.2004 (Core)

Running Kernel:

[moore@neuralux stackdata]$ uname -a
Linux neuralux.lan.moore.com 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Sat Sep 12 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

It’s working well, by I was blocked by one file unwritable with Samba:

Unable to save /Volumes/git/stackdata/name.html
Error: Permission denied

I was using the Sublime text editor accessing this file shared over the network by Samba.

Analysis

Let’s go to debug on the server, first, list all the html files rights, permissions, user and group are good:

[moore@neuralux stackdata]$ ls -la *.html
-rw-rw-r--. 1 moore moore  165 Sep  9 21:09 about.html
-rw-rw-r--. 1 moore moore  825 Oct  4 15:38 name.html
-rw-rw-r--. 1 moore moore  763 Sep  9 21:09 search.html

No unwritable attribute:

[moore@neuralux stackdata]$ lsattr *.html
-------------------- about.html
-------------------- name.html
-------------------- search.html

Lets’s check now the SELinux contexts:

[moore@neuralux stackdata]$ ls -laZ *.html
-rw-rw-r--. 1 moore moore unconfined_u:object_r:samba_share_t:s0  165 Sep  9 21:09 about.html
-rw-rw-r--. 1 moore moore unconfined_u:object_r:user_tmp_t:s0     825 Oct  4 15:38 name.html
-rw-rw-r--. 1 moore moore unconfined_u:object_r:samba_share_t:s0  763 Sep  9 21:09 search.html

The problem is coming from here, now I remember I’ve done a copy from a file coming from the /tmp folder that should have used the “user_tmp_t” default security context.

Double check that SELinux is effectively enabled on this system:

[moore@neuralux stackdata]$ getenforce
Enforcing

[moore@neuralux stackdata]$  grep SELINUX= /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=enforcing

Let’s fix the problem

We have to run the command “semanage fcontext -a -t samba_share_t” to our file to change the type to samba_share_t. The -a option adds a new record, and the -t option defines a type (samba_share_t). This command does not directly change the type:

[moore@neuralux stackdata]$ sudo semanage fcontext -a -t samba_share_t  /opt/git/stackdata/name.html

The semanage fcontext command adds one entry to /etc/selinux/targeted/contexts/files/file_contexts.local:

[moore@neuralux stackdata]$ sudo cat /etc/selinux/targeted/contexts/files/file_contexts.local 
# This file is auto-generated by libsemanage
# Do not edit directly.
/opt/git/stackdata/name.html    system_u:object_r:samba_share_t:s0

Change the type with the restorecon command:

[moore@neuralux stackdata]$ restorecon -v name.html 
Relabeled /opt/git/stackdata/name.html from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:samba_share_t:s0

Check the new security context:

[moore@neuralux stackdata]$ ls -Zla *.html
-rw-rw-r--. 1 moore moore unconfined_u:object_r:samba_share_t:s0  165 Sep  9 21:09 about.html
-rw-rw-r--. 1 moore moore unconfined_u:object_r:samba_share_t:s0  825 Oct  4 15:51 name.html
-rw-rw-r--. 1 moore moore unconfined_u:object_r:samba_share_t:s0  763 Sep  9 21:09 search.html

Problem fixed Samba is now allowed to write this file without error \o/

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z